From 1fdcec33a4b1d1517ef4b16d551729e5f84b4fa8 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Fri, 14 Sep 2012 21:48:22 +0200
Subject: [PATCH 01/42] use services

---
 Gemfile                                     |  2 +-
 Gemfile.lock                                |  9 +++++----
 lib/travis/api/app/endpoint/artifacts.rb    |  4 +++-
 lib/travis/api/app/endpoint/branches.rb     |  9 +--------
 lib/travis/api/app/endpoint/builds.rb       | 14 ++------------
 lib/travis/api/app/endpoint/hooks.rb        |  8 ++++++--
 lib/travis/api/app/endpoint/jobs.rb         | 14 ++++----------
 lib/travis/api/app/endpoint/repositories.rb | 14 ++++++++------
 lib/travis/api/app/endpoint/stats.rb        |  4 ++--
 lib/travis/api/app/endpoint/workers.rb      |  4 +++-
 10 files changed, 35 insertions(+), 47 deletions(-)

diff --git a/Gemfile b/Gemfile
index 6b5df9fd..2acc2f12 100644
--- a/Gemfile
+++ b/Gemfile
@@ -4,7 +4,7 @@ source :rubygems
 gemspec
 
 gem 'travis-support', github: 'travis-ci/travis-support'
-gem 'travis-core',    github: 'travis-ci/travis-core'
+gem 'travis-core',    github: 'travis-ci/travis-core', branch: 'sf-moar-services'
 gem 'hubble',         github: 'roidrage/hubble'
 gem 'yard-sinatra',   github: 'rkh/yard-sinatra'
 gem 'gh',             github: 'rkh/gh'
diff --git a/Gemfile.lock b/Gemfile.lock
index 43304774..dbf4e81f 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -32,7 +32,8 @@ GIT
 
 GIT
   remote: git://github.com/travis-ci/travis-core.git
-  revision: b71c3be388451581f2ca60e6fd862c2bfc56bfb6
+  revision: db8c123f2e2a35a8983f10c6524ccbab96f27ba7
+  branch: sf-moar-services
   specs:
     travis-core (0.0.1)
       actionmailer (~> 3.2.3)
@@ -105,7 +106,7 @@ GEM
     atomic (1.0.1)
     avl_tree (1.1.3)
     backports (2.6.2)
-    builder (3.0.0)
+    builder (3.0.3)
     daemons (1.1.8)
     data_migrations (0.0.1)
       activerecord
@@ -120,7 +121,7 @@ GEM
     ffi (1.1.0)
     foreman (0.53.0)
       thor (>= 0.13.6)
-    hashr (0.0.21)
+    hashr (0.0.22)
     hike (1.2.1)
     hitimes (1.1.1)
     i18n (0.6.0)
@@ -196,7 +197,7 @@ GEM
     rspec-expectations (2.11.2)
       diff-lcs (~> 1.1.3)
     rspec-mocks (2.11.1)
-    signature (0.1.3)
+    signature (0.1.4)
     simple_states (0.1.1)
       activesupport
       hashr (~> 0.0.10)
diff --git a/lib/travis/api/app/endpoint/artifacts.rb b/lib/travis/api/app/endpoint/artifacts.rb
index 88fae5a9..d5fbfc86 100644
--- a/lib/travis/api/app/endpoint/artifacts.rb
+++ b/lib/travis/api/app/endpoint/artifacts.rb
@@ -5,7 +5,9 @@ class Travis::Api::App
     # TODO: Add documentation.
     class Artifacts < Endpoint
       # TODO: Add documentation.
-      get('/:id') { |id| body Artifact.find(id) }
+      get('/:id') do |id|
+        service(:artifacts).find_one(params)
+      end
     end
   end
 end
diff --git a/lib/travis/api/app/endpoint/branches.rb b/lib/travis/api/app/endpoint/branches.rb
index 39d48606..ffe83a6f 100644
--- a/lib/travis/api/app/endpoint/branches.rb
+++ b/lib/travis/api/app/endpoint/branches.rb
@@ -6,15 +6,8 @@ class Travis::Api::App
     class Branches < Endpoint
       # TODO: Add documentation.
       get('/') do
-        body repository, :type => "Branches"
+        body service(:branches).find_all(params)
       end
-
-      private
-
-        def repository
-          pass if params.empty?
-          Repository.find_by(params) || not_found
-        end
     end
   end
 end
diff --git a/lib/travis/api/app/endpoint/builds.rb b/lib/travis/api/app/endpoint/builds.rb
index 911913cc..14566d9f 100644
--- a/lib/travis/api/app/endpoint/builds.rb
+++ b/lib/travis/api/app/endpoint/builds.rb
@@ -6,23 +6,13 @@ class Travis::Api::App
     class Builds < Endpoint
       # TODO: Add documentation.
       get '/' do
-        scope = repository.builds.by_event_type(params[:event_type] || 'push')
-        scope = params[:after] ? scope.older_than(params[:after]) : scope.recent
-        scope
+        service(:builds).find_all(params)
       end
 
       # TODO: Add documentation.
       get '/:id' do
-        one = params[:repository_id] ? repository.builds : Build
-        body one.includes(:commit, :matrix => [:commit, :log]).find(params[:id])
+        service(:builds).find_one(params)
       end
-
-      private
-
-        def repository
-          pass if params.empty?
-          Repository.find_by(params) || not_found
-        end
     end
   end
 end
diff --git a/lib/travis/api/app/endpoint/hooks.rb b/lib/travis/api/app/endpoint/hooks.rb
index b8dfbc50..1a4f2dcd 100644
--- a/lib/travis/api/app/endpoint/hooks.rb
+++ b/lib/travis/api/app/endpoint/hooks.rb
@@ -5,10 +5,14 @@ class Travis::Api::App
     # TODO: Add documentation.
     class Hooks < Endpoint
       # TODO: Add implementation and documentation.
-      get('/', scope: :private) { raise NotImplementedError }
+      get('/', scope: :private) do
+        service(:builds).find_all(params)
+      end
 
       # TODO: Add implementation and documentation.
-      put('/:id', scope: :admin) { raise NotImplementedError }
+      put('/:id', scope: :admin) do
+        respond_with service(:hooks).update(params)
+      end
     end
   end
 end
diff --git a/lib/travis/api/app/endpoint/jobs.rb b/lib/travis/api/app/endpoint/jobs.rb
index 923da07f..8c2f21bb 100644
--- a/lib/travis/api/app/endpoint/jobs.rb
+++ b/lib/travis/api/app/endpoint/jobs.rb
@@ -4,20 +4,14 @@ class Travis::Api::App
   class Endpoint
     # TODO: Add documentation.
     class Jobs < Endpoint
-      # TODO: Add implementation and documentation.
+      # TODO: Add documentation.
       get('/') do
-        if params[:ids]
-          Job.where(:id => params[:ids]).includes(:commit, :log)
-        else
-          jobs = Job.queued.includes(:commit, :log)
-          jobs = jobs.where(:queue => params[:queue]) if params[:queue]
-          jobs
-        end
+        service(:jobs).find_all(params)
       end
 
-      # TODO: Add implementation and documentation.
+      # TODO: Add documentation.
       get('/:id') do
-        body Job.find(params[:id])
+        service(:jobs).find_one(params)
       end
     end
   end
diff --git a/lib/travis/api/app/endpoint/repositories.rb b/lib/travis/api/app/endpoint/repositories.rb
index 90040db2..3053093d 100644
--- a/lib/travis/api/app/endpoint/repositories.rb
+++ b/lib/travis/api/app/endpoint/repositories.rb
@@ -6,15 +6,17 @@ class Travis::Api::App
     class Repositories < Endpoint
       # TODO: Add documentation.
       get '/' do
-        scope = Repository.timeline.recent
-        scope = scope.by_owner_name(params[:owner_name]) if params[:owner_name]
-        scope = scope.by_slug(params[:slug])             if params[:slug]
-        scope = scope.search(params[:search])            if params[:search].present?
-        scope
+        body service(:repositories).find_all(params)
       end
 
       # TODO: Add documentation.
-      get('/:id') { body Repository.find_by(params) }
+      get('/:id') do
+        body service(:repositories).find_one(params)
+      end
+
+      # TODO make sure status images and cc.xml work
+      # rescue ActiveRecord::RecordNotFound
+      #   raise unless params[:format] == 'png'
     end
   end
 end
diff --git a/lib/travis/api/app/endpoint/stats.rb b/lib/travis/api/app/endpoint/stats.rb
index 51dfaac1..0301cb44 100644
--- a/lib/travis/api/app/endpoint/stats.rb
+++ b/lib/travis/api/app/endpoint/stats.rb
@@ -6,12 +6,12 @@ class Travis::Api::App
     class Stats < Endpoint
       # TODO: Add documentation.
       get('/repos') do
-        { :stats => Travis::Stats.daily_repository_counts }
+        { :stats => services(:stats).daily_repository_counts }
       end
 
       # TODO: Add documentation.
       get('/tests') do
-        { :stats => Travis::Stats.daily_tests_counts }
+        { :stats => services(:stats).daily_tests_counts }
       end
     end
   end
diff --git a/lib/travis/api/app/endpoint/workers.rb b/lib/travis/api/app/endpoint/workers.rb
index 4c5c25f3..90516ac0 100644
--- a/lib/travis/api/app/endpoint/workers.rb
+++ b/lib/travis/api/app/endpoint/workers.rb
@@ -5,7 +5,9 @@ class Travis::Api::App
     # TODO: Add documentation.
     class Workers < Endpoint
       # TODO: Add implementation and documentation.
-      get('/') { Worker.order(:host, :name) }
+      get('/') do
+        service(:workers).find_all(params)
+      end
     end
   end
 end

From 79e382ce0b22dac2e413cdbb091c2ed07a987a7e Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Sat, 15 Sep 2012 12:06:33 +0200
Subject: [PATCH 02/42] add services

---
 lib/travis/api/app.rb          | 4 ++++
 lib/travis/api/app/endpoint.rb | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/lib/travis/api/app.rb b/lib/travis/api/app.rb
index 36d1f1d8..1b2b7230 100644
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@@ -75,6 +75,10 @@ class Travis::Api::App
 
     def self.setup_travis
       Travis::Database.connect
+
+      Travis::Services.constants.each do |name|
+        Travis.services[name.to_s.underscore.to_sym] = Travis::Services.const_get(name) unless name == :Base
+      end
     end
 
     def self.load_endpoints
diff --git a/lib/travis/api/app/endpoint.rb b/lib/travis/api/app/endpoint.rb
index 9d96435f..6fc5ced8 100644
--- a/lib/travis/api/app/endpoint.rb
+++ b/lib/travis/api/app/endpoint.rb
@@ -10,5 +10,12 @@ class Travis::Api::App
     before { content_type :json }
     error(ActiveRecord::RecordNotFound, Sinatra::NotFound) { not_found }
     not_found { content_type =~ /json/ ? { 'file' => 'not found' } : 'file not found' }
+
+    private
+
+      def service(key)
+        const = Travis.services[key] || raise("no service registered for #{key}")
+        const.new(respond_to?(:current_user) ? current_user : nil)
+      end
   end
 end

From c6ab5d3b981bb981a261764ae6d2590a9dc454d9 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Sat, 15 Sep 2012 12:09:44 +0200
Subject: [PATCH 03/42] bump travis-support

---
 Gemfile.lock | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index dbf4e81f..a69290d8 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -32,7 +32,7 @@ GIT
 
 GIT
   remote: git://github.com/travis-ci/travis-core.git
-  revision: db8c123f2e2a35a8983f10c6524ccbab96f27ba7
+  revision: cbddb4179552344b578b20e320ac7e9d7c335b3d
   branch: sf-moar-services
   specs:
     travis-core (0.0.1)
@@ -54,7 +54,7 @@ GIT
 
 GIT
   remote: git://github.com/travis-ci/travis-support.git
-  revision: 27857bb4f5425b8aacc9b26e4661688dca962fb0
+  revision: b150763d253331de9adadcb5b39f7df5efccb676
   specs:
     travis-support (0.0.1)
 

From a2d195ecf9340c31c4ee2c439e3b2aac54181157 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Sat, 15 Sep 2012 12:33:34 +0200
Subject: [PATCH 04/42] actually turn these objects into json

---
 lib/travis/api/app/endpoint/artifacts.rb | 2 +-
 lib/travis/api/app/endpoint/branches.rb  | 2 +-
 lib/travis/api/app/endpoint/builds.rb    | 4 ++--
 lib/travis/api/app/endpoint/hooks.rb     | 4 ++--
 lib/travis/api/app/endpoint/jobs.rb      | 4 ++--
 lib/travis/api/app/endpoint/workers.rb   | 2 +-
 6 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/lib/travis/api/app/endpoint/artifacts.rb b/lib/travis/api/app/endpoint/artifacts.rb
index d5fbfc86..2a1d51b4 100644
--- a/lib/travis/api/app/endpoint/artifacts.rb
+++ b/lib/travis/api/app/endpoint/artifacts.rb
@@ -6,7 +6,7 @@ class Travis::Api::App
     class Artifacts < Endpoint
       # TODO: Add documentation.
       get('/:id') do |id|
-        service(:artifacts).find_one(params)
+        body service(:artifacts).find_one(params)
       end
     end
   end
diff --git a/lib/travis/api/app/endpoint/branches.rb b/lib/travis/api/app/endpoint/branches.rb
index ffe83a6f..29917ca7 100644
--- a/lib/travis/api/app/endpoint/branches.rb
+++ b/lib/travis/api/app/endpoint/branches.rb
@@ -6,7 +6,7 @@ class Travis::Api::App
     class Branches < Endpoint
       # TODO: Add documentation.
       get('/') do
-        body service(:branches).find_all(params)
+        body service(:branches).find_all(params), :type => :branches
       end
     end
   end
diff --git a/lib/travis/api/app/endpoint/builds.rb b/lib/travis/api/app/endpoint/builds.rb
index 14566d9f..cd74c36e 100644
--- a/lib/travis/api/app/endpoint/builds.rb
+++ b/lib/travis/api/app/endpoint/builds.rb
@@ -6,12 +6,12 @@ class Travis::Api::App
     class Builds < Endpoint
       # TODO: Add documentation.
       get '/' do
-        service(:builds).find_all(params)
+        body service(:builds).find_all(params)
       end
 
       # TODO: Add documentation.
       get '/:id' do
-        service(:builds).find_one(params)
+        body service(:builds).find_one(params)
       end
     end
   end
diff --git a/lib/travis/api/app/endpoint/hooks.rb b/lib/travis/api/app/endpoint/hooks.rb
index 1a4f2dcd..cf2ebfae 100644
--- a/lib/travis/api/app/endpoint/hooks.rb
+++ b/lib/travis/api/app/endpoint/hooks.rb
@@ -6,12 +6,12 @@ class Travis::Api::App
     class Hooks < Endpoint
       # TODO: Add implementation and documentation.
       get('/', scope: :private) do
-        service(:builds).find_all(params)
+        body service(:builds).find_all(params)
       end
 
       # TODO: Add implementation and documentation.
       put('/:id', scope: :admin) do
-        respond_with service(:hooks).update(params)
+        body service(:hooks).update(params)
       end
     end
   end
diff --git a/lib/travis/api/app/endpoint/jobs.rb b/lib/travis/api/app/endpoint/jobs.rb
index 8c2f21bb..66a70aff 100644
--- a/lib/travis/api/app/endpoint/jobs.rb
+++ b/lib/travis/api/app/endpoint/jobs.rb
@@ -6,12 +6,12 @@ class Travis::Api::App
     class Jobs < Endpoint
       # TODO: Add documentation.
       get('/') do
-        service(:jobs).find_all(params)
+        body service(:jobs).find_all(params)
       end
 
       # TODO: Add documentation.
       get('/:id') do
-        service(:jobs).find_one(params)
+        body service(:jobs).find_one(params)
       end
     end
   end
diff --git a/lib/travis/api/app/endpoint/workers.rb b/lib/travis/api/app/endpoint/workers.rb
index 90516ac0..47ff90c0 100644
--- a/lib/travis/api/app/endpoint/workers.rb
+++ b/lib/travis/api/app/endpoint/workers.rb
@@ -6,7 +6,7 @@ class Travis::Api::App
     class Workers < Endpoint
       # TODO: Add implementation and documentation.
       get('/') do
-        service(:workers).find_all(params)
+        body service(:workers).find_all(params)
       end
     end
   end

From a8fc2f0e7ac41ee55b937e607b8897b2b118411b Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Sat, 15 Sep 2012 14:35:37 +0200
Subject: [PATCH 05/42] it's service, not services

---
 lib/travis/api/app/endpoint/stats.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/travis/api/app/endpoint/stats.rb b/lib/travis/api/app/endpoint/stats.rb
index 0301cb44..4463dcdb 100644
--- a/lib/travis/api/app/endpoint/stats.rb
+++ b/lib/travis/api/app/endpoint/stats.rb
@@ -6,12 +6,12 @@ class Travis::Api::App
     class Stats < Endpoint
       # TODO: Add documentation.
       get('/repos') do
-        { :stats => services(:stats).daily_repository_counts }
+        { :stats => service(:stats).daily_repository_counts }
       end
 
       # TODO: Add documentation.
       get('/tests') do
-        { :stats => services(:stats).daily_tests_counts }
+        { :stats => service(:stats).daily_tests_counts }
       end
     end
   end

From 3387c185fa9e226cfc3d0aca4713eff166089348 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Sun, 16 Sep 2012 00:45:38 +0200
Subject: [PATCH 06/42] fake sign in

---
 lib/travis/api/app/endpoint.rb          |  7 ++++-
 lib/travis/api/app/endpoint/branches.rb |  2 +-
 lib/travis/api/app/endpoint/hooks.rb    |  5 ++--
 lib/travis/api/app/endpoint/profile.rb  | 39 +++++++++++++++++++++++--
 4 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/lib/travis/api/app/endpoint.rb b/lib/travis/api/app/endpoint.rb
index 6fc5ced8..31eb233e 100644
--- a/lib/travis/api/app/endpoint.rb
+++ b/lib/travis/api/app/endpoint.rb
@@ -15,7 +15,12 @@ class Travis::Api::App
 
       def service(key)
         const = Travis.services[key] || raise("no service registered for #{key}")
-        const.new(respond_to?(:current_user) ? current_user : nil)
+        const.new(current_user)
+      end
+
+      def current_user
+        # TODO
+        User.where(:login => 'svenfuchs').first
       end
   end
 end
diff --git a/lib/travis/api/app/endpoint/branches.rb b/lib/travis/api/app/endpoint/branches.rb
index 29917ca7..52d83a50 100644
--- a/lib/travis/api/app/endpoint/branches.rb
+++ b/lib/travis/api/app/endpoint/branches.rb
@@ -6,7 +6,7 @@ class Travis::Api::App
     class Branches < Endpoint
       # TODO: Add documentation.
       get('/') do
-        body service(:branches).find_all(params), :type => :branches
+        body service(:branches).find_all(params), type: :branches
       end
     end
   end
diff --git a/lib/travis/api/app/endpoint/hooks.rb b/lib/travis/api/app/endpoint/hooks.rb
index cf2ebfae..fd590db5 100644
--- a/lib/travis/api/app/endpoint/hooks.rb
+++ b/lib/travis/api/app/endpoint/hooks.rb
@@ -5,8 +5,9 @@ class Travis::Api::App
     # TODO: Add documentation.
     class Hooks < Endpoint
       # TODO: Add implementation and documentation.
-      get('/', scope: :private) do
-        body service(:builds).find_all(params)
+      # TODO scope: :private
+      get('/') do
+        body service(:hooks).find_all(params), type: :hooks
       end
 
       # TODO: Add implementation and documentation.
diff --git a/lib/travis/api/app/endpoint/profile.rb b/lib/travis/api/app/endpoint/profile.rb
index 8a9096c6..5e6f3fa7 100644
--- a/lib/travis/api/app/endpoint/profile.rb
+++ b/lib/travis/api/app/endpoint/profile.rb
@@ -18,10 +18,45 @@ class Travis::Api::App
       #         "synced_at": "2012-08-14T22:11:21Z"
       #       }
       #     }
-      get('/', scope: :private) { body(user) }
+      get '/', scope: :private do
+        body user
+      end
+
+      put '/', scope: :private do
+        raise NotImplementedError
+        update_locale if valid_locale?
+        'ok'
+      end
 
       # TODO: Add implementation and documentation.
-      post('/sync', scope: :private) { raise NotImplementedError }
+      post '/sync', scope: :private do
+        raise NotImplementedError
+        sync_user(current_user)
+        'ok'
+      end
+
+      private
+
+        def sync_user(user)
+          unless user.is_syncing?
+            publisher = Travis::Amqp::Publisher.new('sync.user')
+            publisher.publish({ user_id: user.id }, type: 'sync')
+            user.update_column(:is_syncing, true)
+          end
+        end
+
+        def locale
+          params[:user][:locale]
+        end
+
+        def valid_locale?
+          I18n.available_locales.include?(locale.to_sym) # ???
+        end
+
+        def update_locale
+          current_user.update_attributes!(:locale => locale.to_s)
+          session[:locale] = locale # ???
+        end
     end
   end
 end

From 957e9ee37896034237ad5e32abae9b432df9c228 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Sun, 16 Sep 2012 00:46:25 +0200
Subject: [PATCH 07/42] bump travis-core

---
 Gemfile      |  2 +-
 Gemfile.lock | 40 ++++++++++++++++++++--------------------
 2 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/Gemfile b/Gemfile
index 2acc2f12..cd248d6b 100644
--- a/Gemfile
+++ b/Gemfile
@@ -4,7 +4,7 @@ source :rubygems
 gemspec
 
 gem 'travis-support', github: 'travis-ci/travis-support'
-gem 'travis-core',    github: 'travis-ci/travis-core', branch: 'sf-moar-services'
+gem 'travis-core',    github: 'travis-ci/travis-core', branch: 'sf-more-services'
 gem 'hubble',         github: 'roidrage/hubble'
 gem 'yard-sinatra',   github: 'rkh/yard-sinatra'
 gem 'gh',             github: 'rkh/gh'
diff --git a/Gemfile.lock b/Gemfile.lock
index a69290d8..db903b3b 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -32,8 +32,8 @@ GIT
 
 GIT
   remote: git://github.com/travis-ci/travis-core.git
-  revision: cbddb4179552344b578b20e320ac7e9d7c335b3d
-  branch: sf-moar-services
+  revision: fec30393c46107e1ce4bd1600887d24c290f520a
+  branch: sf-more-services
   specs:
     travis-core (0.0.1)
       actionmailer (~> 3.2.3)
@@ -77,35 +77,35 @@ PATH
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (3.2.6)
-      actionpack (= 3.2.6)
+    actionmailer (3.2.8)
+      actionpack (= 3.2.8)
       mail (~> 2.4.4)
-    actionpack (3.2.6)
-      activemodel (= 3.2.6)
-      activesupport (= 3.2.6)
+    actionpack (3.2.8)
+      activemodel (= 3.2.8)
+      activesupport (= 3.2.8)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
-      journey (~> 1.0.1)
+      journey (~> 1.0.4)
       rack (~> 1.4.0)
       rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
       sprockets (~> 2.1.3)
-    activemodel (3.2.6)
-      activesupport (= 3.2.6)
+    activemodel (3.2.8)
+      activesupport (= 3.2.8)
       builder (~> 3.0.0)
-    activerecord (3.2.6)
-      activemodel (= 3.2.6)
-      activesupport (= 3.2.6)
+    activerecord (3.2.8)
+      activemodel (= 3.2.8)
+      activesupport (= 3.2.8)
       arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activesupport (3.2.6)
+    activesupport (3.2.8)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     addressable (2.3.2)
     arel (3.0.2)
     atomic (1.0.1)
     avl_tree (1.1.3)
-    backports (2.6.2)
+    backports (2.6.4)
     builder (3.0.3)
     daemons (1.1.8)
     data_migrations (0.0.1)
@@ -116,7 +116,7 @@ GEM
     eventmachine (0.12.10)
     factory_girl (2.4.2)
       activesupport
-    faraday (0.8.1)
+    faraday (0.8.4)
       multipart-post (~> 1.1)
     ffi (1.1.0)
     foreman (0.53.0)
@@ -124,7 +124,7 @@ GEM
     hashr (0.0.22)
     hike (1.2.1)
     hitimes (1.1.1)
-    i18n (0.6.0)
+    i18n (0.6.1)
     journey (1.0.4)
     json (1.6.7)
     listen (0.4.7)
@@ -169,9 +169,9 @@ GEM
       rack
     rack-test (0.6.1)
       rack (>= 1.0)
-    railties (3.2.6)
-      actionpack (= 3.2.6)
-      activesupport (= 3.2.6)
+    railties (3.2.8)
+      actionpack (= 3.2.8)
+      activesupport (= 3.2.8)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)

From ea96905e8a06a8ee7ab578b91f14b43f4fbf3927 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Tue, 18 Sep 2012 00:04:20 +0200
Subject: [PATCH 08/42] un-private /profile

---
 lib/travis/api/app/endpoint/profile.rb | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/travis/api/app/endpoint/profile.rb b/lib/travis/api/app/endpoint/profile.rb
index 5e6f3fa7..1e39238a 100644
--- a/lib/travis/api/app/endpoint/profile.rb
+++ b/lib/travis/api/app/endpoint/profile.rb
@@ -18,8 +18,9 @@ class Travis::Api::App
       #         "synced_at": "2012-08-14T22:11:21Z"
       #       }
       #     }
-      get '/', scope: :private do
-        body user
+      # , scope: :private
+      get '/' do
+        body service(:user).find_one, type: :user
       end
 
       put '/', scope: :private do
@@ -29,9 +30,10 @@ class Travis::Api::App
       end
 
       # TODO: Add implementation and documentation.
-      post '/sync', scope: :private do
-        raise NotImplementedError
-        sync_user(current_user)
+      # , scope: :private
+      post '/sync' do
+        # raise NotImplementedError
+        # sync_user(current_user)
         'ok'
       end
 

From 6606af4b43ef64d3ef97efeddda8524aff7c5281 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Mon, 17 Sep 2012 23:58:57 +0200
Subject: [PATCH 09/42] start working on post_message auth flow

Conflicts:
	Gemfile.lock
---
 lib/travis/api/app/endpoint/authorization.rb | 48 +++++++++++++++++---
 script/server                                |  2 +-
 2 files changed, 43 insertions(+), 7 deletions(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 6d90e9be..2df888e9 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -1,4 +1,6 @@
 require 'travis/api/app'
+require 'addressable/uri'
+require 'faraday'
 
 class Travis::Api::App
   class Endpoint
@@ -58,14 +60,31 @@ class Travis::Api::App
       #
       # * **token**: GitHub token for checking authorization (required)
       post '/github' do
-        data   = GH.with(token: params[:token].to_s) { GH['user'] }
-        scopes = parse_scopes data.headers['x-oauth-scopes']
-        user   = User.find_by_login(data['login'])
+        { 'access_token' => github_to_travis(params[:token]) }
+      end
 
-        halt 403, 'not a Travis user'   if user.nil?
-        halt 403, 'insufficient access' unless acceptable? scopes
+      get '/post_message' do
+        config   = Travis.config.oauth2
+        endpoint = Addressable::URI.parse(config.authorization_server)
+        values   = {
+          client_id:    config.client_id,
+          scope:        config.scope,
+          redirect_uri: url
+        }
 
-        { 'access_token' => generate_token(user) }
+        if params[:code]
+          endpoint.path          = config.access_token_path
+          values[:code]          = params[:code]
+          values[:state]         = params[:state] if params[:state]
+          values[:client_secret] = config.client_secret
+
+          token = github_to_travis get_token(endpoint.to_s, values)
+          { 'access_token' => token }
+        else
+          endpoint.path         = config.authorize_path
+          endpoint.query_values = values
+          redirect to(endpoint.to_s)
+        end
       end
 
       error Faraday::Error::ClientError do
@@ -74,6 +93,23 @@ class Travis::Api::App
 
       private
 
+        def github_to_travis(token)
+          data   = GH.with(token: token.to_s) { GH['user'] }
+          scopes = parse_scopes data.headers['x-oauth-scopes']
+          user   = User.find_by_login(data['login'])
+
+          halt 403, 'not a Travis user'   if user.nil?
+          halt 403, 'insufficient access' unless acceptable? scopes
+
+          generate_token(user)
+        end
+
+        def get_token(endoint, value)
+          response   = Faraday.get(endoint, value)
+          parameters = Addressable::URI.form_unencode(response.body)
+          parameters.assoc("access_token").last
+        end
+
         def parse_scopes(data)
           data.gsub(/\s/,'').split(',') if data
         end
diff --git a/script/server b/script/server
index ef6391d4..d7e105dd 100755
--- a/script/server
+++ b/script/server
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 cd "$(dirname "$0")/.."
-[ $PORT ]     || PORT=5000
+[ $PORT ]     || PORT=3000
 [ $RACK_ENV ] || RACK_ENV=development
 
 cmd="ruby -I lib -S bundle exec ruby -I lib -S thin start -p $PORT -e $RACK_ENV --threaded"

From 4d6c8822e5c372cda27476d984b8bad9a29821a3 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 16:34:57 +0200
Subject: [PATCH 10/42] update travis-core

---
 Gemfile.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index db903b3b..5dac3a14 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -32,7 +32,7 @@ GIT
 
 GIT
   remote: git://github.com/travis-ci/travis-core.git
-  revision: fec30393c46107e1ce4bd1600887d24c290f520a
+  revision: ea7a1678a0388e586ac4778a9b6ee56a11dfb0aa
   branch: sf-more-services
   specs:
     travis-core (0.0.1)

From 05acb00c2ed0fb3ba67f868bc2e68fdfdf9915cb Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 16:35:29 +0200
Subject: [PATCH 11/42] reuse existing tokens for same app/scopes

---
 lib/travis/api/app/access_token.rb | 23 ++++++++++++++++++++---
 1 file changed, 20 insertions(+), 3 deletions(-)

diff --git a/lib/travis/api/app/access_token.rb b/lib/travis/api/app/access_token.rb
index f4944cf9..e48bf367 100644
--- a/lib/travis/api/app/access_token.rb
+++ b/lib/travis/api/app/access_token.rb
@@ -4,7 +4,7 @@ require 'securerandom'
 class Travis::Api::App
   class AccessToken
     DEFAULT_SCOPES = [:public, :private]
-    attr_reader :token, :scopes, :user_id
+    attr_reader :token, :scopes, :user_id, :app_id
 
     def self.create(options = {})
       new(options).tap(&:save)
@@ -12,22 +12,25 @@ class Travis::Api::App
 
     def self.find_by_token(token)
       user_id, app_id, *scopes = redis.lrange(key(token), 0, -1)
-      new(token: token, scopes: scopes, user_id: user_id) if user_id
+      new(token: token, scopes: scopes, user_id: user_id, app_id: app_id) if user_id
     end
 
     def initialize(options = {})
       raise ArgumentError, 'must supply either user_id or user' unless options.key?(:user) ^ options.key?(:user_id)
+      raise ArgumentError, 'must supply app_id' unless options.key?(:app_id)
 
-      @token    = options[:token] || SecureRandom.urlsafe_base64(64)
+      @app_id   = Integer(options[:app_id])
       @scopes   = Array(options[:scopes] || options[:scope] || DEFAULT_SCOPES).map(&:to_sym)
       @user     = options[:user]
       @user_id  = Integer(options[:user_id] || @user.id)
+      @token    = options[:token] || reuse_token || SecureRandom.urlsafe_base64(16)
     end
 
     def save
       key = key(token)
       redis.del(key)
       redis.rpush(key, [user_id, '', *scopes].map(&:to_s))
+      redis.set(reuse_key, token)
     end
 
     def user
@@ -55,5 +58,19 @@ class Travis::Api::App
 
     include Helpers
     extend Helpers
+
+    private
+
+      def reuse_token
+        redis.get(reuse_key)
+      end
+
+      def reuse_key
+        @reuse_key ||= begin
+          keys = ["r", user_id, app_id]
+          keys.append(scopes.mpa(&:to_s).sort) if scopes != DEFAULT_SCOPES
+          keys.join(':')
+        end
+      end
   end
 end

From e9523dc21df0b7cbc8291db97ff720708bccd72e Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 16:36:06 +0200
Subject: [PATCH 12/42] use state to avoid handshake spoofing

---
 lib/travis/api/app/endpoint.rb               |  4 ++
 lib/travis/api/app/endpoint/authorization.rb | 39 +++++++++++++-------
 2 files changed, 30 insertions(+), 13 deletions(-)

diff --git a/lib/travis/api/app/endpoint.rb b/lib/travis/api/app/endpoint.rb
index 31eb233e..ebfeec22 100644
--- a/lib/travis/api/app/endpoint.rb
+++ b/lib/travis/api/app/endpoint.rb
@@ -22,5 +22,9 @@ class Travis::Api::App
         # TODO
         User.where(:login => 'svenfuchs').first
       end
+
+      def redis
+        Thread.current[:redis] ||= ::Redis.connect(url: Travis.config.redis.url)
+      end
   end
 end
diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 2df888e9..cc640549 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -1,6 +1,7 @@
 require 'travis/api/app'
 require 'addressable/uri'
 require 'faraday'
+require 'securerandom'
 
 class Travis::Api::App
   class Endpoint
@@ -60,7 +61,7 @@ class Travis::Api::App
       #
       # * **token**: GitHub token for checking authorization (required)
       post '/github' do
-        { 'access_token' => github_to_travis(params[:token]) }
+        { 'access_token' => github_to_travis(params[:token], app_id: 1) }
       end
 
       get '/post_message' do
@@ -72,17 +73,18 @@ class Travis::Api::App
           redirect_uri: url
         }
 
-        if params[:code]
+        if params[:code] and state_ok?(params[:state])
           endpoint.path          = config.access_token_path
+          values[:state]         = params[:state]
           values[:code]          = params[:code]
-          values[:state]         = params[:state] if params[:state]
           values[:client_secret] = config.client_secret
-
-          token = github_to_travis get_token(endpoint.to_s, values)
+          github_token           = get_token(endpoint.to_s, values)
+          token                  = github_to_travis(github_token, app_id: 0)
           { 'access_token' => token }
         else
-          endpoint.path         = config.authorize_path
-          endpoint.query_values = values
+          values[:state]         = create_state
+          endpoint.path          = config.authorize_path
+          endpoint.query_values  = values
           redirect to(endpoint.to_s)
         end
       end
@@ -93,7 +95,18 @@ class Travis::Api::App
 
       private
 
-        def github_to_travis(token)
+        def create_state
+          state = SecureRandom.urlsafe_base64(16)
+          redis.sadd('github:states', state)
+          redis.expire('github:states', 1800)
+          state
+        end
+
+        def state_ok?(state)
+          redis.srem('github:states', state) if state
+        end
+
+        def github_to_travis(token, options = {})
           data   = GH.with(token: token.to_s) { GH['user'] }
           scopes = parse_scopes data.headers['x-oauth-scopes']
           user   = User.find_by_login(data['login'])
@@ -101,11 +114,11 @@ class Travis::Api::App
           halt 403, 'not a Travis user'   if user.nil?
           halt 403, 'insufficient access' unless acceptable? scopes
 
-          generate_token(user)
+          generate_token options.merge(user: user)
         end
 
-        def get_token(endoint, value)
-          response   = Faraday.get(endoint, value)
+        def get_token(endoint, values)
+          response   = Faraday.post(endoint, values)
           parameters = Addressable::URI.form_unencode(response.body)
           parameters.assoc("access_token").last
         end
@@ -114,8 +127,8 @@ class Travis::Api::App
           data.gsub(/\s/,'').split(',') if data
         end
 
-        def generate_token(user)
-          AccessToken.create(user: user).token
+        def generate_token(options)
+          AccessToken.create(options).token
         end
 
         def acceptable?(scopes)

From 8a16b77281680ad637e998b5cf79b6cdff866502 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 17:02:01 +0200
Subject: [PATCH 13/42] disable threaded mode for now

---
 script/server | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/script/server b/script/server
index d7e105dd..569491a1 100755
--- a/script/server
+++ b/script/server
@@ -3,6 +3,6 @@ cd "$(dirname "$0")/.."
 [ $PORT ]     || PORT=3000
 [ $RACK_ENV ] || RACK_ENV=development
 
-cmd="ruby -I lib -S bundle exec ruby -I lib -S thin start -p $PORT -e $RACK_ENV --threaded"
+cmd="ruby -I lib -S bundle exec ruby -I lib -S thin start -p $PORT -e $RACK_ENV" #--threaded"
 [[ $RACK_ENV == "development" ]] && exec rerun "$cmd -a 127.0.0.1"
 exec $cmd

From 759ad4d1139eb05629ac0c4d1d3b353644ccb0c4 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 18:27:26 +0200
Subject: [PATCH 14/42] send messages after oauth handshake

---
 lib/travis/api/app/endpoint/authorization.rb | 31 +++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index cc640549..b7ed528b 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -35,6 +35,19 @@ class Travis::Api::App
     # authorization flow to support third-party clients in the future, too.
     class Authorization < Endpoint
       set prefix: '/auth'
+      enable :inline_templates
+
+      configure :development, :test do
+        set :target_origins, ['*']
+      end
+
+      configure :production do
+        set :target_origins, %W[
+          https://#{Travis.config.domain}
+          https://staging.#{Travis.config.domain}
+          https://travis-ember.herokuapp.com
+        ]
+      end
 
       # Parameters:
       #
@@ -80,7 +93,7 @@ class Travis::Api::App
           values[:client_secret] = config.client_secret
           github_token           = get_token(endpoint.to_s, values)
           token                  = github_to_travis(github_token, app_id: 0)
-          { 'access_token' => token }
+          post_message(token: token)
         else
           values[:state]         = create_state
           endpoint.path          = config.authorize_path
@@ -134,6 +147,22 @@ class Travis::Api::App
         def acceptable?(scopes)
           scopes.include? 'public_repo' or scopes.include? 'repo'
         end
+
+        def post_message(payload)
+          content_type :html
+          erb(:post_message, locals: payload)
+        end
     end
   end
 end
+
+__END__
+
+@@ post_message
+<script>
+<% settings.target_origins.each do |target| %>
+  window.parent.postMessage(<%= token.inspect %>, <%= target.inspect %>);
+<% end %>
+</script>
+
+SENT
\ No newline at end of file

From 3a64c87a7f76021dfd8021c3e63c13dae0371cfd Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 19:15:12 +0200
Subject: [PATCH 15/42] send user data with post message

---
 lib/travis/api/app/endpoint.rb               |  7 +++----
 lib/travis/api/app/endpoint/authorization.rb | 19 ++++++++++++-------
 2 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/lib/travis/api/app/endpoint.rb b/lib/travis/api/app/endpoint.rb
index ebfeec22..c4cd2199 100644
--- a/lib/travis/api/app/endpoint.rb
+++ b/lib/travis/api/app/endpoint.rb
@@ -13,14 +13,13 @@ class Travis::Api::App
 
     private
 
-      def service(key)
+      def service(key, user = current_user)
         const = Travis.services[key] || raise("no service registered for #{key}")
-        const.new(current_user)
+        const.new(user)
       end
 
       def current_user
-        # TODO
-        User.where(:login => 'svenfuchs').first
+        env['travis.access_token'].user if env['travis.access_token']
       end
 
       def redis
diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index b7ed528b..fafa5ad5 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -92,8 +92,10 @@ class Travis::Api::App
           values[:code]          = params[:code]
           values[:client_secret] = config.client_secret
           github_token           = get_token(endpoint.to_s, values)
-          token                  = github_to_travis(github_token, app_id: 0)
-          post_message(token: token)
+          user                   = user_for_github_token(github_token)
+          token                  = generate_token(user: user, app_id: 0)
+          rendered_user          = service(:user, user).find_one
+          post_message(token: token, user: rendered_user)
         else
           values[:state]         = create_state
           endpoint.path          = config.authorize_path
@@ -120,14 +122,17 @@ class Travis::Api::App
         end
 
         def github_to_travis(token, options = {})
+          generate_token options.merge(user: user_for_github_token(token))
+        end
+
+        def user_for_github_token(token)
           data   = GH.with(token: token.to_s) { GH['user'] }
           scopes = parse_scopes data.headers['x-oauth-scopes']
           user   = User.find_by_login(data['login'])
 
           halt 403, 'not a Travis user'   if user.nil?
           halt 403, 'insufficient access' unless acceptable? scopes
-
-          generate_token options.merge(user: user)
+          user
         end
 
         def get_token(endoint, values)
@@ -160,9 +165,9 @@ __END__
 
 @@ post_message
 <script>
+var payload = <%= render_json(user) %>;
+payload.token = <%= token.inspect %>;
 <% settings.target_origins.each do |target| %>
-  window.parent.postMessage(<%= token.inspect %>, <%= target.inspect %>);
+  window.parent.postMessage(payload, <%= target.inspect %>);
 <% end %>
 </script>
-
-SENT
\ No newline at end of file

From 1e903129a31ab7785e17562740d0bfb69486e2f3 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 19:50:05 +0200
Subject: [PATCH 16/42] set app_id

---
 lib/travis/api/app/access_token.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/access_token.rb b/lib/travis/api/app/access_token.rb
index e48bf367..e3b98d6c 100644
--- a/lib/travis/api/app/access_token.rb
+++ b/lib/travis/api/app/access_token.rb
@@ -29,7 +29,7 @@ class Travis::Api::App
     def save
       key = key(token)
       redis.del(key)
-      redis.rpush(key, [user_id, '', *scopes].map(&:to_s))
+      redis.rpush(key, [user_id, app_id, *scopes].map(&:to_s))
       redis.set(reuse_key, token)
     end
 

From 1a7a9daf4643abf6c954bf26c63816783ded9bda Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 20:37:52 +0200
Subject: [PATCH 17/42] add endpoint for initial authorization

---
 lib/travis/api/app/endpoint/authorization.rb | 60 ++++++++++++--------
 1 file changed, 37 insertions(+), 23 deletions(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index fafa5ad5..dfd2c415 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -77,30 +77,16 @@ class Travis::Api::App
         { 'access_token' => github_to_travis(params[:token], app_id: 1) }
       end
 
-      get '/post_message' do
-        config   = Travis.config.oauth2
-        endpoint = Addressable::URI.parse(config.authorization_server)
-        values   = {
-          client_id:    config.client_id,
-          scope:        config.scope,
-          redirect_uri: url
-        }
+      get '/handshake' do
+        handshake do |*, redirect_uri|
+          redirect redirect_uri
+        end
+      end
 
-        if params[:code] and state_ok?(params[:state])
-          endpoint.path          = config.access_token_path
-          values[:state]         = params[:state]
-          values[:code]          = params[:code]
-          values[:client_secret] = config.client_secret
-          github_token           = get_token(endpoint.to_s, values)
-          user                   = user_for_github_token(github_token)
-          token                  = generate_token(user: user, app_id: 0)
-          rendered_user          = service(:user, user).find_one
+      get '/post_message' do
+        handshake do |user, token|
+          rendered_user = service(:user, user).find_one
           post_message(token: token, user: rendered_user)
-        else
-          values[:state]         = create_state
-          endpoint.path          = config.authorize_path
-          endpoint.query_values  = values
-          redirect to(endpoint.to_s)
         end
       end
 
@@ -110,15 +96,43 @@ class Travis::Api::App
 
       private
 
+        def handshake
+          config   = Travis.config.oauth2
+          endpoint = Addressable::URI.parse(config.authorization_server)
+          values   = {
+            client_id:    config.client_id,
+            scope:        config.scope,
+            redirect_uri: url
+          }
+
+          if params[:code] and state_ok?(params[:state])
+            endpoint.path          = config.access_token_path
+            values[:state]         = params[:state]
+            values[:code]          = params[:code]
+            values[:client_secret] = config.client_secret
+            github_token           = get_token(endpoint.to_s, values)
+            user                   = user_for_github_token(github_token)
+            token                  = generate_token(user: user, app_id: 0)
+            payload                = params[:state].split(":::", 2)[1]
+            yield user, token, payload
+          else
+            values[:state]         = create_state
+            endpoint.path          = config.authorize_path
+            endpoint.query_values  = values
+            redirect to(endpoint.to_s)
+          end
+        end
+
         def create_state
           state = SecureRandom.urlsafe_base64(16)
           redis.sadd('github:states', state)
           redis.expire('github:states', 1800)
+          state << ":::" << params[:redirect_uri] if params[:redirect_uri]
           state
         end
 
         def state_ok?(state)
-          redis.srem('github:states', state) if state
+          redis.srem('github:states', state.split(":::", 1)) if state
         end
 
         def github_to_travis(token, options = {})

From e8ab020af09c3b4cb0438df4422bfa07b0b1908f Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Tue, 18 Sep 2012 21:04:54 +0200
Subject: [PATCH 18/42] use Api for generating the user payload

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index fafa5ad5..f32fb95d 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -94,7 +94,7 @@ class Travis::Api::App
           github_token           = get_token(endpoint.to_s, values)
           user                   = user_for_github_token(github_token)
           token                  = generate_token(user: user, app_id: 0)
-          rendered_user          = service(:user, user).find_one
+          rendered_user          = Travis::Api.data(service(:user, user).find_one, type: :user, version: :v2)
           post_message(token: token, user: rendered_user)
         else
           values[:state]         = create_state

From 01e19e2888110af9c24c9b1d6e3bea2fbba1f096 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 22:21:38 +0200
Subject: [PATCH 19/42] use id rather than login for user

---
 lib/travis/api/app/endpoint/authorization.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index f7273db8..2885b637 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -142,7 +142,7 @@ class Travis::Api::App
         def user_for_github_token(token)
           data   = GH.with(token: token.to_s) { GH['user'] }
           scopes = parse_scopes data.headers['x-oauth-scopes']
-          user   = User.find_by_login(data['login'])
+          user   = User.find_by_github_id(data['id'])
 
           halt 403, 'not a Travis user'   if user.nil?
           halt 403, 'insufficient access' unless acceptable? scopes

From a67b8bf1ded02214afa6873c5a1894cfde7f25b9 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Tue, 18 Sep 2012 23:33:35 +0200
Subject: [PATCH 20/42] create use if missing

---
 lib/travis/api/app/endpoint/authorization.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 2885b637..e819a8aa 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -139,10 +139,18 @@ class Travis::Api::App
           generate_token options.merge(user: user_for_github_token(token))
         end
 
+        def user_info(data, misc = {})
+          info = data.to_hash.slice('name', 'login', 'github_oauth_token', 'gravatar_id')
+          info.merge! misc
+          info['github_id'] ||= data['id']
+          info
+        end
+
         def user_for_github_token(token)
           data   = GH.with(token: token.to_s) { GH['user'] }
           scopes = parse_scopes data.headers['x-oauth-scopes']
           user   = User.find_by_github_id(data['id'])
+          user ||= User.create! user_info(data, github_oauth_token: token)
 
           halt 403, 'not a Travis user'   if user.nil?
           halt 403, 'insufficient access' unless acceptable? scopes

From 4a59e2286ef6bb3f239927988c3baeca863a5a9a Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 19 Sep 2012 00:21:53 +0200
Subject: [PATCH 21/42] fix some of the tests

---
 spec/endpoint/authorization_spec.rb | 16 +++++++++-------
 spec/endpoint/profile_spec.rb       |  6 +++---
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/spec/endpoint/authorization_spec.rb b/spec/endpoint/authorization_spec.rb
index 79bdc1b7..6810e796 100644
--- a/spec/endpoint/authorization_spec.rb
+++ b/spec/endpoint/authorization_spec.rb
@@ -10,8 +10,9 @@ describe Travis::Api::App::Endpoint::Authorization do
       end
     end
 
-    User.stubs(:find_by_login).with(user.login).returns(user)
-    User.stubs(:find).with(user.id).returns(user)
+    user.stubs(:github_id).returns(42)
+    User.stubs(:find_github_id).returns(user)
+    User.stubs(:find).returns(user)
   end
 
   describe 'GET /auth/authorize' do
@@ -24,9 +25,10 @@ describe Travis::Api::App::Endpoint::Authorization do
 
   describe 'POST /auth/github' do
     before do
-      GH.stubs(:with).with(token: 'private repos').returns stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'repo'})
-      GH.stubs(:with).with(token: 'public repos').returns  stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'public_repo'})
-      GH.stubs(:with).with(token: 'no repos').returns      stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'user'})
+      data = { 'id' => user.github_id, 'name' => user.name, 'login' => user.login, 'gravatar_id' => user.gravatar_id }
+      GH.stubs(:with).with(token: 'private repos').returns stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'repo'}, :to_hash => data)
+      GH.stubs(:with).with(token: 'public repos').returns  stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'public_repo'}, :to_hash => data)
+      GH.stubs(:with).with(token: 'no repos').returns      stub(:[] => user.login, :headers => {'x-oauth-scopes' => 'user'}, :to_hash => data)
       GH.stubs(:with).with(token: 'invalid token').raises(Faraday::Error::ClientError, 'CLIENT ERROR!')
     end
 
@@ -42,11 +44,11 @@ describe Travis::Api::App::Endpoint::Authorization do
     end
 
     it 'accepts tokens with repo scope' do
-      user_for('private repos').should == user
+      user_for('private repos').name.should == user.name
     end
 
     it 'accepts tokens with public_repo scope' do
-      user_for('public repos').should == user
+      user_for('public repos').name.should == user.name
     end
 
     it 'rejects tokens with user scope' do
diff --git a/spec/endpoint/profile_spec.rb b/spec/endpoint/profile_spec.rb
index 8298d76e..d02b63e5 100644
--- a/spec/endpoint/profile_spec.rb
+++ b/spec/endpoint/profile_spec.rb
@@ -2,11 +2,11 @@ require 'spec_helper'
 
 describe Travis::Api::App::Endpoint::Profile do
   include Travis::Testing::Stubs
-  let(:access_token) { Travis::Api::App::AccessToken.create(user: user) }
+  let(:access_token) { Travis::Api::App::AccessToken.create(user: user, app_id: 0) }
 
   before do
-    User.stubs(:find_by_login).with(user.login).returns(user)
-    User.stubs(:find).with(user.id).returns(user)
+    User.stubs(:find_by_github_id).returns(user)
+    User.stubs(:find).returns(user)
   end
 
   it 'needs to be authenticated' do

From f5af1923a69dc2b800e6e0f89839e1bbf52207c7 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 19 Sep 2012 10:19:20 +0200
Subject: [PATCH 22/42] set profile scope back to private

---
 lib/travis/api/app/endpoint/profile.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/travis/api/app/endpoint/profile.rb b/lib/travis/api/app/endpoint/profile.rb
index 1e39238a..b8e8abad 100644
--- a/lib/travis/api/app/endpoint/profile.rb
+++ b/lib/travis/api/app/endpoint/profile.rb
@@ -18,8 +18,7 @@ class Travis::Api::App
       #         "synced_at": "2012-08-14T22:11:21Z"
       #       }
       #     }
-      # , scope: :private
-      get '/' do
+      get '/', scope: :private do
         body service(:user).find_one, type: :user
       end
 

From d708b79e135d3e7d672bd66b0754524ff8eb7cbf Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 19 Sep 2012 10:23:57 +0200
Subject: [PATCH 23/42] fix access token related tests

---
 lib/travis/api/app/access_token.rb  | 2 +-
 spec/endpoint/profile_spec.rb       | 2 +-
 spec/extensions/scoping_spec.rb     | 2 +-
 spec/middleware/scope_check_spec.rb | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/travis/api/app/access_token.rb b/lib/travis/api/app/access_token.rb
index e3b98d6c..bae8436d 100644
--- a/lib/travis/api/app/access_token.rb
+++ b/lib/travis/api/app/access_token.rb
@@ -68,7 +68,7 @@ class Travis::Api::App
       def reuse_key
         @reuse_key ||= begin
           keys = ["r", user_id, app_id]
-          keys.append(scopes.mpa(&:to_s).sort) if scopes != DEFAULT_SCOPES
+          keys.append(scopes.map(&:to_s).sort) if scopes != DEFAULT_SCOPES
           keys.join(':')
         end
       end
diff --git a/spec/endpoint/profile_spec.rb b/spec/endpoint/profile_spec.rb
index d02b63e5..43c1f19e 100644
--- a/spec/endpoint/profile_spec.rb
+++ b/spec/endpoint/profile_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe Travis::Api::App::Endpoint::Profile do
   include Travis::Testing::Stubs
-  let(:access_token) { Travis::Api::App::AccessToken.create(user: user, app_id: 0) }
+  let(:access_token) { Travis::Api::App::AccessToken.create(user: user, app_id: -1) }
 
   before do
     User.stubs(:find_by_github_id).returns(user)
diff --git a/spec/extensions/scoping_spec.rb b/spec/extensions/scoping_spec.rb
index 5b037f58..ca4a1270 100644
--- a/spec/extensions/scoping_spec.rb
+++ b/spec/extensions/scoping_spec.rb
@@ -14,7 +14,7 @@ describe Travis::Api::App::Extensions::Scoping do
   end
 
   def with_scopes(url, *scopes)
-    token = Travis::Api::App::AccessToken.create(user: user, scopes: scopes)
+    token = Travis::Api::App::AccessToken.create(user: user, scopes: scopes, app_id: -1)
     get(url, {}, 'travis.access_token' => token)
   end
 
diff --git a/spec/middleware/scope_check_spec.rb b/spec/middleware/scope_check_spec.rb
index 3e6649aa..1eb820c7 100644
--- a/spec/middleware/scope_check_spec.rb
+++ b/spec/middleware/scope_check_spec.rb
@@ -4,7 +4,7 @@ describe Travis::Api::App::Middleware::ScopeCheck do
   include Travis::Testing::Stubs
 
   let :access_token do
-    Travis::Api::App::AccessToken.create(user: user, scope: :foo)
+    Travis::Api::App::AccessToken.create(user: user, scope: :foo, app_id: -1)
   end
 
   before do

From e5ed22843f93d26c383a92f696baf13e520e2f74 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Wed, 19 Sep 2012 13:28:24 +0200
Subject: [PATCH 24/42] fix profile endpoint spec

---
 spec/endpoint/profile_spec.rb | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/spec/endpoint/profile_spec.rb b/spec/endpoint/profile_spec.rb
index 43c1f19e..612a8e9c 100644
--- a/spec/endpoint/profile_spec.rb
+++ b/spec/endpoint/profile_spec.rb
@@ -7,6 +7,7 @@ describe Travis::Api::App::Endpoint::Profile do
   before do
     User.stubs(:find_by_github_id).returns(user)
     User.stubs(:find).returns(user)
+    user.stubs(:repositories).returns(stub(administratable: stub(select: [repository])))
   end
 
   it 'needs to be authenticated' do
@@ -15,14 +16,26 @@ describe Travis::Api::App::Endpoint::Profile do
 
   it 'replies with the current user' do
     get('/profile', access_token: access_token.to_s).should be_ok
-    parsed_body["user"].should == {
-      "login"       => user.login,
-      "name"        => user.name,
-      "email"       => user.email,
-      "gravatar_id" => user.gravatar_id,
-      "locale"      => user.locale,
-      "is_syncing"  => user.is_syncing,
-      "synced_at"   => user.synced_at.strftime('%Y-%m-%dT%H:%M:%SZ')
+    parsed_body['user'].should == {
+      'id'          => user.id,
+      'login'       => user.login,
+      'name'        => user.name,
+      'email'       => user.email,
+      'gravatar_id' => user.gravatar_id,
+      'locale'      => user.locale,
+      'is_syncing'  => user.is_syncing,
+      'synced_at'   => user.synced_at.strftime('%Y-%m-%dT%H:%M:%SZ')
     }
   end
+
+  it 'includes accounts' do
+    get('/profile', access_token: access_token.to_s).should be_ok
+    parsed_body['accounts'].should == [{
+      'id'          => user.id,
+      'login'       => user.login,
+      'name'        => user.name,
+      'type'        => 'user',
+      'reposCount'  => nil
+    }]
+  end
 end

From 3ddb2da33b29542aa093bcf0d28b324e6b38dcd4 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 19 Sep 2012 15:30:46 +0200
Subject: [PATCH 25/42] better docs for authorization

---
 lib/travis/api/app/endpoint/authorization.rb | 45 +++++++++++++++++++-
 1 file changed, 43 insertions(+), 2 deletions(-)

diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index e819a8aa..8a1572a5 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -18,6 +18,7 @@ class Travis::Api::App
     # authorize) against GitHub.
     #
     # This is the recommended way for third-party web apps.
+    # The entry point is [/auth/authorize](#/auth/authorize).
     #
     # ## GitHub Token
     #
@@ -29,10 +30,14 @@ class Travis::Api::App
     # This is the recommended way for GitHub applications that also want Travis
     # integration.
     #
+    # The entry point is [/auth/github](#/auth/github).
+    #
     # ## Cross-Origin Window Messages
     #
     # This is the recommended way for the official client. We might improve the
     # authorization flow to support third-party clients in the future, too.
+    #
+    # The entry point is [/auth/post_message](#/auth/post_message).
     class Authorization < Endpoint
       set prefix: '/auth'
       enable :inline_templates
@@ -49,6 +54,9 @@ class Travis::Api::App
         ]
       end
 
+      # Endpoint for retrieving an authorization code, which in turn can be used
+      # to generate an access token.
+      #
       # Parameters:
       #
       # * **client_id**: your App's client id (required)
@@ -59,17 +67,21 @@ class Travis::Api::App
         raise NotImplementedError
       end
 
+      # Endpoint for generating an access token from an authorization code.
+      #
       # Parameters:
       #
       # * **client_id**: your App's client id (required)
       # * **client_secret**: your App's client secret (required)
-      # * **code**: code retrieved from redirect from [/authorize](#/authorize) (required)
+      # * **code**: code retrieved from redirect from [/auth/authorize](#/auth/authorize) (required)
       # * **redirect_uri**: URL to redirect to
-      # * **state**: same value sent to [/authorize](#/authorize)
+      # * **state**: same value sent to [/auth/authorize](#/auth/authorize)
       post '/access_token' do
         raise NotImplementedError
       end
 
+      # Endpoint for generating an access token from a GitHub access token.
+      #
       # Parameters:
       #
       # * **token**: GitHub token for checking authorization (required)
@@ -77,12 +89,41 @@ class Travis::Api::App
         { 'access_token' => github_to_travis(params[:token], app_id: 1) }
       end
 
+      # Endpoint for making sure user authorized Travis CI to access GitHub.
+      # There are no restrictions on where to redirect to after handshake.
+      # However, no information whatsoever is being sent with the redirect.
+      #
+      # Parameters:
+      #
+      # * **redirect_uri**: URI to redirect after handshake.
       get '/handshake' do
         handshake do |*, redirect_uri|
           redirect redirect_uri
         end
       end
 
+      # This endpoint is meant to be embedded in an iframe, popup window or
+      # similar. It will perform the handshake and, once done, will send an
+      # access token and user payload to the parent window via postMessage.
+      #
+      # However, the endpoint to send the payload to has to be explicitely
+      # whitelisted in production, as this is endpoint is only meant to be used
+      # with the official Travis CI client at the moment.
+      #
+      # Example usage:
+      #
+      #     window.addEventListener("message", function(event) {
+      #       alert("received token: " + event.data.token);
+      #     });
+      #
+      #     var iframe = $('<iframe />').hide();
+      #     iframe.appendTo('body');
+      #     iframe.attr('src', "https://api.travis-ci.org/auth/post_message");
+      #
+      # Note that embedding it in an iframe will only work for users that are
+      # logged in at GitHub and already authorized Travis CI. It is therefore
+      # recommended to redirect to [/auth/handshake](#/auth/handshake) if no
+      # token is being received.
       get '/post_message' do
         handshake do |user, token|
           rendered_user = Travis::Api.data(service(:user, user).find_one, type: :user, version: :v2)

From 742583e8e9778b6c7fc147dc4ec3f12d3b360c8f Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Wed, 19 Sep 2012 16:29:11 +0200
Subject: [PATCH 26/42] make sure we don't leak the github oauth code via a
 referrer

---
 lib/travis/api/app.rb                        |  4 ++++
 lib/travis/api/app/endpoint.rb               | 13 +++++++++++++
 lib/travis/api/app/endpoint/authorization.rb |  4 ++--
 lib/travis/api/app/endpoint/home.rb          | 11 +++++++++++
 4 files changed, 30 insertions(+), 2 deletions(-)

diff --git a/lib/travis/api/app.rb b/lib/travis/api/app.rb
index 1b2b7230..458a06e6 100644
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@@ -54,6 +54,10 @@ class Travis::Api::App
       use Rack::SSL if Endpoint.production?
       use ActiveRecord::ConnectionAdapters::ConnectionManagement
 
+      use Rack::Config do |env|
+        env['travis.global_prefix'] = env['SCRIPT_NAME']
+      end
+
       Middleware.subclasses.each { |m| use(m) }
       Endpoint.subclasses.each { |e| map(e.prefix) { run(e.new) } }
     end
diff --git a/lib/travis/api/app/endpoint.rb b/lib/travis/api/app/endpoint.rb
index c4cd2199..9bee2ff8 100644
--- a/lib/travis/api/app/endpoint.rb
+++ b/lib/travis/api/app/endpoint.rb
@@ -1,4 +1,5 @@
 require 'travis/api/app'
+require 'addressable/uri'
 
 class Travis::Api::App
   # Superclass for HTTP endpoints. Takes care of prefixing.
@@ -25,5 +26,17 @@ class Travis::Api::App
       def redis
         Thread.current[:redis] ||= ::Redis.connect(url: Travis.config.redis.url)
       end
+
+      def endpoint(link, query_values = {})
+        link = url(File.join(env['travis.global_prefix'], link), true, false)
+        uri  = Addressable::URI.parse(link)
+        query_values = query_values.merge(uri.query_values) if uri.query_values
+        uri.query_values = query_values
+        uri.to_s
+      end
+
+      def safe_redirect(url)
+        redirect(endpoint('/redirect', to: url), 301)
+      end
   end
 end
diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 8a1572a5..28e13784 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -95,10 +95,10 @@ class Travis::Api::App
       #
       # Parameters:
       #
-      # * **redirect_uri**: URI to redirect after handshake.
+      # * **redirect_uri**: URI to redirect to after handshake.
       get '/handshake' do
         handshake do |*, redirect_uri|
-          redirect redirect_uri
+          safe_redirect redirect_uri
         end
       end
 
diff --git a/lib/travis/api/app/endpoint/home.rb b/lib/travis/api/app/endpoint/home.rb
index 96bbcb7d..8f41c586 100644
--- a/lib/travis/api/app/endpoint/home.rb
+++ b/lib/travis/api/app/endpoint/home.rb
@@ -11,6 +11,17 @@ class Travis::Api::App
         redirect to('/docs/') if request.preferred_type('application/json', 'text/html') == 'text/html'
         { 'hello' => 'world' }
       end
+
+      # Simple endpoints that redirects somewhere else, to make sure we don't
+      # send a referrer.
+      #
+      # Parameters:
+      #
+      # * **to**: URI to redirect to after handshake.
+      get '/redirect' do
+        halt 400 unless params[:to] =~ %r{^https?://}
+        redirect params[:to]
+      end
     end
   end
 end

From e9474652a87b281df164fd6f288b2a4b79291989 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 12:03:08 +0200
Subject: [PATCH 27/42] add github ribbon to docs

---
 lib/travis/api/app/endpoint/documentation.rb | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/lib/travis/api/app/endpoint/documentation.rb b/lib/travis/api/app/endpoint/documentation.rb
index e230142e..e38262d1 100644
--- a/lib/travis/api/app/endpoint/documentation.rb
+++ b/lib/travis/api/app/endpoint/documentation.rb
@@ -95,6 +95,13 @@ __END__
   </head>
 
   <body onload="prettyPrint()">
+
+    <a href="https://github.com/travis-ci/travis-api">
+      <img style="position: absolute; top: 0; right: 0; border: 0;"
+        src="https://s3.amazonaws.com/github/ribbons/forkme_right_darkblue_121621.png"
+        alt="Fork me on GitHub">
+    </a>
+
     <div class="container">
       <div class="row">
         <header class="span12">

From 72dae6867c68c189882aaec51a180503f276fcbd Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 14:15:30 +0200
Subject: [PATCH 28/42] start working on general docs

---
 docs/00_overview.md                          |  7 ++
 docs/01_cross_origin.md                      | 23 +++++
 lib/travis/api/app/endpoint/documentation.rb | 95 +++++++++++++++-----
 3 files changed, 102 insertions(+), 23 deletions(-)
 create mode 100644 docs/00_overview.md
 create mode 100644 docs/01_cross_origin.md

diff --git a/docs/00_overview.md b/docs/00_overview.md
new file mode 100644
index 00000000..f05ab353
--- /dev/null
+++ b/docs/00_overview.md
@@ -0,0 +1,7 @@
+# Overview
+
+... some general docs here ...
+
+## Media Types
+
+The API is currently JSON only.
\ No newline at end of file
diff --git a/docs/01_cross_origin.md b/docs/01_cross_origin.md
new file mode 100644
index 00000000..031f7209
--- /dev/null
+++ b/docs/01_cross_origin.md
@@ -0,0 +1,23 @@
+# Web Clients
+
+When write an in-browsers client, you have to circumvent the browser's
+[same origin policy](http://en.wikipedia.org/wiki/Same_origin_policy).
+Generally, we offer two different approaches for this:
+[Cross-Origin Resource Sharing](http://en.wikipedia.org/wiki/CORS) (aka CORS)
+and [JSONP](http://en.wikipedia.org/wiki/JSONP). If you don't have any good
+reason for using JSONP, we recommend you use CORS.
+
+## Cross-Origin Resource Sharing
+
+... some general docs here ...
+
+In contrast to JSONP, CORS does not lead to any execution of untrusted code.
+
+Most JavaScript frameworks, like [jQuery](http://jquery.com), take care of CORS
+requests for you under the hood, so you can just do a normal *ajax* request.
+
+Our current setup allows the headers `Content-Type`, `Authorization`, `Accept` and the HTTP methods `HEAD`, `GET`, `POST`, `PATCH`, `PUT`, `DELETE`.
+
+## JSONP
+
+... some docs here ...
diff --git a/lib/travis/api/app/endpoint/documentation.rb b/lib/travis/api/app/endpoint/documentation.rb
index e38262d1..5f56edac 100644
--- a/lib/travis/api/app/endpoint/documentation.rb
+++ b/lib/travis/api/app/endpoint/documentation.rb
@@ -11,7 +11,12 @@ class Travis::Api::App
       get '/' do
         content_type :html
         endpoints = Endpoints.endpoints
-        erb :index, {}, :endpoints => endpoints.keys.sort.map { |k| endpoints[k] }
+        erb :index, {}, endpoints: endpoints.keys.sort.map { |k| endpoints[k] }
+      end
+
+      get '/x' do
+        content_type :html
+        general_docs
       end
 
       helpers do
@@ -38,6 +43,29 @@ class Travis::Api::App
             gsub(/<\/?code>/, '').
             gsub(/TODO:?/, '<span class="label label-warning">TODO</span>')
         end
+
+        private
+
+          def general_docs
+            @@general_docs  ||= doc_files.map do |file|
+              header, content = File.read(file).split("\n", 2)
+              content         = markdown(content)
+              subheaders      = []
+
+              content.gsub!(/<h2>(.*)<\/h2>/) do
+                subheaders << $1
+                "<h2 id=\"#{$1}\">#{$1}</h2>"
+              end
+
+              header.gsub! /^#* */, ''
+              { id: header, title: header, content: content, subheaders: subheaders }
+            end
+          end
+
+          def doc_files
+            pattern = File.expand_path('../../../../../../docs/*.md', __FILE__)
+            Dir[pattern].sort
+          end
       end
     end
   end
@@ -118,6 +146,13 @@ __END__
           </div>
           <div class="well" style="padding: 8px 0;">
             <ul class="nav nav-list">
+              <% general_docs.each do |doc| %>
+                <li class="nav-header"><a href="#<%= doc[:id] %>"><%= doc[:title] %></a></li>
+                <% doc[:subheaders].each do |sub| %>
+                  <li><a href="#<%= sub %>"><%= sub %></a></li>
+                <% end %>
+              <% end %>
+              <li class="divider"></li>
               <% endpoints.each do |endpoint| %>
                 <li class="nav-header"><a href="#<%= endpoint['name'] %>"><%= endpoint['name'] %></a></li>
                 <% endpoint['routes'].each do |route| %>
@@ -163,29 +198,15 @@ __END__
 
         <section class="span9">
 
+          <% general_docs.each do |doc| %>
+            <%= erb :entry, locals: doc %>
+          <% end %>
+
           <% endpoints.each do |endpoint| %>
-            <div id="<%= endpoint['name'] %>">
-              <div class="page-header">
-                <h1>
-                  <a href="#<%= endpoint['name'] %>"><%= endpoint['name'] %></a>
-                </h1>
-              </div>
-              <% unless endpoint['doc'].to_s.empty? %>
-                <%= docs_for endpoint %>
-                <hr>
-              <% end %>
-              <% endpoint['routes'].each do |route| %>
-                  <div class="route" id="<%= slug_for(route) %>">
-                    <pre><h3><%= route['verb'] %> <%= route['uri'] %></h3></pre>
-                    <% if route['scope'] %>
-                      <p>
-                        <h5>Required autorization scope: <span class="label"><%= route['scope'] %></span></h5>
-                      </p>
-                    <% end %>
-                    <%= docs_for route %>
-                  </div>
-              <% end %>
-            </div>
+            <%= erb :entry, {},
+              id: endpoint['name'],
+              title: endpoint['name'],
+              content: erb(:endpoint_content, {}, endpoint: endpoint) %>
           <% end %>
 
         </section>
@@ -193,3 +214,31 @@ __END__
     </div>
   </body>
 </html>
+
+@@ endpoint_content
+<% unless endpoint['doc'].to_s.empty? %>
+  <%= docs_for endpoint %>
+  <hr>
+<% end %>
+<% endpoint['routes'].each do |route| %>
+  <div class="route" id="<%= slug_for(route) %>">
+    <pre><h3><%= route['verb'] %> <%= route['uri'] %></h3></pre>
+    <% if route['scope'] %>
+      <p>
+        <h5>Required autorization scope: <span class="label"><%= route['scope'] %></span></h5>
+      </p>
+    <% end %>
+    <%= docs_for route %>
+  </div>
+<% end %>
+
+@@ entry
+<div id="<%= id %>">
+  <div class="page-header">
+    <h1>
+      <a href="#<%= id %>"><%= title %></a>
+    </h1>
+  </div>
+  <%= content %>
+</div>
+

From 016d929bc03d11ed45ede3f479a74ec7f532ea4b Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 14:15:37 +0200
Subject: [PATCH 29/42] allow HEAD requests

---
 lib/travis/api/app/middleware/cors.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/travis/api/app/middleware/cors.rb b/lib/travis/api/app/middleware/cors.rb
index eea34fda..dc98a4e4 100644
--- a/lib/travis/api/app/middleware/cors.rb
+++ b/lib/travis/api/app/middleware/cors.rb
@@ -14,7 +14,7 @@ class Travis::Api::App
       end
 
       options // do
-        headers['Access-Control-Allow-Methods'] = "GET, POST, PATCH, PUT, DELETE"
+        headers['Access-Control-Allow-Methods'] = "HEAD, GET, POST, PATCH, PUT, DELETE"
         headers['Access-Control-Allow-Headers'] = "Content-Type, Authorization, Accept"
       end
     end

From 743b203709460155bc6e6cc5954d4c7d2b310d5c Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 14:18:35 +0200
Subject: [PATCH 30/42] fix link

---
 docs/01_cross_origin.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/01_cross_origin.md b/docs/01_cross_origin.md
index 031f7209..2119d004 100644
--- a/docs/01_cross_origin.md
+++ b/docs/01_cross_origin.md
@@ -3,7 +3,7 @@
 When write an in-browsers client, you have to circumvent the browser's
 [same origin policy](http://en.wikipedia.org/wiki/Same_origin_policy).
 Generally, we offer two different approaches for this:
-[Cross-Origin Resource Sharing](http://en.wikipedia.org/wiki/CORS) (aka CORS)
+[Cross-Origin Resource Sharing](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) (aka CORS)
 and [JSONP](http://en.wikipedia.org/wiki/JSONP). If you don't have any good
 reason for using JSONP, we recommend you use CORS.
 

From ddf404416e51f554ea5cef948685d22b9f14af84 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 14:23:18 +0200
Subject: [PATCH 31/42] fix test

---
 spec/middleware/cors_spec.rb | 2 +-
 travis-api.gemspec           | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/spec/middleware/cors_spec.rb b/spec/middleware/cors_spec.rb
index 034e1682..21dee0f7 100644
--- a/spec/middleware/cors_spec.rb
+++ b/spec/middleware/cors_spec.rb
@@ -40,7 +40,7 @@ describe Travis::Api::App::Middleware::Cors do
     end
 
     it 'sets Access-Control-Allow-Methods' do
-      headers['Access-Control-Allow-Methods'].should == "GET, POST, PATCH, PUT, DELETE"
+      headers['Access-Control-Allow-Methods'].should == "HEAD, GET, POST, PATCH, PUT, DELETE"
     end
 
     it 'sets Access-Control-Allow-Headers' do
diff --git a/travis-api.gemspec b/travis-api.gemspec
index 7863562c..4c8653fa 100644
--- a/travis-api.gemspec
+++ b/travis-api.gemspec
@@ -16,9 +16,9 @@ Gem::Specification.new do |s|
 
   s.email = [
     "konstantin.mailinglists@googlemail.com",
+    "me@svenfuchs.com",
     "svenfuchs@artweb-design.de",
-    "drogus@gmail.com",
-    "me@svenfuchs.com"
+    "drogus@gmail.com"
   ]
 
   s.files = [
@@ -27,6 +27,8 @@ Gem::Specification.new do |s|
     "Rakefile",
     "config.ru",
     "config/database.yml",
+    "docs/00_overview.md",
+    "docs/01_cross_origin.md",
     "lib/travis/api/app.rb",
     "lib/travis/api/app/access_token.rb",
     "lib/travis/api/app/endpoint.rb",

From da4f05901fcfd3e3225ec16c586acd8cf1058da8 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 14:43:15 +0200
Subject: [PATCH 32/42] more CORS docs

---
 docs/01_cross_origin.md                      | 13 ++++++++++++-
 lib/travis/api/app/endpoint/documentation.rb | 14 +++++++++-----
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/docs/01_cross_origin.md b/docs/01_cross_origin.md
index 2119d004..d6408bef 100644
--- a/docs/01_cross_origin.md
+++ b/docs/01_cross_origin.md
@@ -9,7 +9,18 @@ reason for using JSONP, we recommend you use CORS.
 
 ## Cross-Origin Resource Sharing
 
-... some general docs here ...
+All API resources set appropriate headers to allow Cross-Origin requests. Be
+aware that on Internet Explorer you might have to use a different interface to
+send these requests.
+
+    // using XMLHttpRequest or XDomainRequest to send an API request
+    var invocation = window.XDomainRequest ? new XDomainRequest() : new XMLHttpRequest();
+
+    if(invocation) {
+      invocation.open("GET", "https://api.travis-ci.org/", true);
+      invocation.onreadystatechange = function() { alert("it worked!") };
+      invocation.send();
+    }
 
 In contrast to JSONP, CORS does not lead to any execution of untrusted code.
 
diff --git a/lib/travis/api/app/endpoint/documentation.rb b/lib/travis/api/app/endpoint/documentation.rb
index 5f56edac..907f9c7b 100644
--- a/lib/travis/api/app/endpoint/documentation.rb
+++ b/lib/travis/api/app/endpoint/documentation.rb
@@ -38,14 +38,18 @@ class Travis::Api::App
         end
 
         def docs_for(entry)
-          markdown(entry['doc']).
-            gsub('<pre', '<pre class="prettyprint linenums lang-js pre-scrollable"').
-            gsub(/<\/?code>/, '').
-            gsub(/TODO:?/, '<span class="label label-warning">TODO</span>')
+          with_code_highlighting markdown(entry['doc'])
         end
 
         private
 
+          def with_code_highlighting(str)
+            str.
+              gsub('<pre', '<pre class="prettyprint linenums lang-js pre-scrollable"').
+              gsub(/<\/?code>/, '').
+              gsub(/TODO:?/, '<span class="label label-warning">TODO</span>')
+          end
+
           def general_docs
             @@general_docs  ||= doc_files.map do |file|
               header, content = File.read(file).split("\n", 2)
@@ -58,7 +62,7 @@ class Travis::Api::App
               end
 
               header.gsub! /^#* */, ''
-              { id: header, title: header, content: content, subheaders: subheaders }
+              { id: header, title: header, content: with_code_highlighting(content), subheaders: subheaders }
             end
           end
 

From fb992184a07155ffae0c149303494219672ec692 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 14:53:16 +0200
Subject: [PATCH 33/42] add jsonp

---
 Gemfile.lock          | 9 ++++++---
 lib/travis/api/app.rb | 2 ++
 travis-api.gemspec    | 1 +
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 5dac3a14..464c0689 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -66,6 +66,7 @@ PATH
       hubble (~> 0.1)
       newrelic_rpm (~> 3.3.0)
       pg (~> 0.13.2)
+      rack-contrib (~> 1.1)
       rack-ssl (~> 1.3)
       redcarpet (~> 2.1)
       sinatra (~> 1.3)
@@ -107,13 +108,13 @@ GEM
     avl_tree (1.1.3)
     backports (2.6.4)
     builder (3.0.3)
-    daemons (1.1.8)
+    daemons (1.1.9)
     data_migrations (0.0.1)
       activerecord
       rake
     diff-lcs (1.1.3)
     erubis (2.7.0)
-    eventmachine (0.12.10)
+    eventmachine (1.0.0)
     factory_girl (2.4.2)
       activesupport
     faraday (0.8.4)
@@ -163,6 +164,8 @@ GEM
     rack (1.4.1)
     rack-cache (1.2)
       rack (>= 0.4)
+    rack-contrib (1.1.0)
+      rack (>= 0.9.1)
     rack-protection (1.2.0)
       rack
     rack-ssl (1.3.2)
@@ -201,7 +204,7 @@ GEM
     simple_states (0.1.1)
       activesupport
       hashr (~> 0.0.10)
-    sinatra (1.3.2)
+    sinatra (1.3.3)
       rack (~> 1.3, >= 1.3.6)
       rack-protection (~> 1.2)
       tilt (~> 1.3, >= 1.3.3)
diff --git a/lib/travis/api/app.rb b/lib/travis/api/app.rb
index 458a06e6..7a06db03 100644
--- a/lib/travis/api/app.rb
+++ b/lib/travis/api/app.rb
@@ -6,6 +6,7 @@ require 'travis'
 require 'backports'
 require 'rack'
 require 'rack/protection'
+require 'rack/contrib'
 require 'active_record'
 require 'redis'
 require 'gh'
@@ -52,6 +53,7 @@ class Travis::Api::App
     @app = Rack::Builder.app do
       use Rack::Protection::PathTraversal
       use Rack::SSL if Endpoint.production?
+      use Rack::JSONP
       use ActiveRecord::ConnectionAdapters::ConnectionManagement
 
       use Rack::Config do |env|
diff --git a/travis-api.gemspec b/travis-api.gemspec
index 4c8653fa..ce4d28e4 100644
--- a/travis-api.gemspec
+++ b/travis-api.gemspec
@@ -126,5 +126,6 @@ Gem::Specification.new do |s|
   s.add_dependency 'sinatra-contrib', '~> 1.3'
   s.add_dependency 'redcarpet',       '~> 2.1'
   s.add_dependency 'rack-ssl',        '~> 1.3'
+  s.add_dependency 'rack-contrib',    '~> 1.1'
 end
 

From c212204ad0b421ebbb8a2e50adf0e4c35e5c149b Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 15:18:30 +0200
Subject: [PATCH 34/42] more cors and jsonp docs

---
 docs/01_cross_origin.md                      | 13 ++++++++++++-
 lib/travis/api/app/endpoint/documentation.rb |  5 ++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/docs/01_cross_origin.md b/docs/01_cross_origin.md
index d6408bef..cd905e83 100644
--- a/docs/01_cross_origin.md
+++ b/docs/01_cross_origin.md
@@ -27,8 +27,19 @@ In contrast to JSONP, CORS does not lead to any execution of untrusted code.
 Most JavaScript frameworks, like [jQuery](http://jquery.com), take care of CORS
 requests for you under the hood, so you can just do a normal *ajax* request.
 
+    // using jQuery
+    $.get("https://api.travis-ci.org/", function() { alert("it worked!") });
+
 Our current setup allows the headers `Content-Type`, `Authorization`, `Accept` and the HTTP methods `HEAD`, `GET`, `POST`, `PATCH`, `PUT`, `DELETE`.
 
 ## JSONP
 
-... some docs here ...
+You can disable the same origin policy by treating the response as JavaScript.
+Supply a `callback` parameter to use this.
+
+    <script>
+      function jsonpCallback() { alert("it worked!") };
+    </script>
+    <script src="https://api.travis-ci.org/?callback=jsonpCallback"></script>
+
+This has the potential of code injection, use with caution.
diff --git a/lib/travis/api/app/endpoint/documentation.rb b/lib/travis/api/app/endpoint/documentation.rb
index 907f9c7b..6e2c427e 100644
--- a/lib/travis/api/app/endpoint/documentation.rb
+++ b/lib/travis/api/app/endpoint/documentation.rb
@@ -7,6 +7,9 @@ class Travis::Api::App
       set prefix: '/docs', public_folder: File.expand_path('../documentation', __FILE__)
       enable :inline_templates, :static
 
+      # Don't cache general docs in development
+      configure(:development) { before { @@general_docs = nil } }
+
       # HTML view for [/endpoints](#/endpoints/).
       get '/' do
         content_type :html
@@ -45,7 +48,7 @@ class Travis::Api::App
 
           def with_code_highlighting(str)
             str.
-              gsub('<pre', '<pre class="prettyprint linenums lang-js pre-scrollable"').
+              gsub('<pre', '<pre class="prettyprint linenums pre-scrollable"').
               gsub(/<\/?code>/, '').
               gsub(/TODO:?/, '<span class="label label-warning">TODO</span>')
           end

From d02e8ccc4a35069826d6055ae6759c98b9caa34b Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 15:34:54 +0200
Subject: [PATCH 35/42] add link for JSON

---
 docs/00_overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/00_overview.md b/docs/00_overview.md
index f05ab353..7d041592 100644
--- a/docs/00_overview.md
+++ b/docs/00_overview.md
@@ -4,4 +4,4 @@
 
 ## Media Types
 
-The API is currently JSON only.
\ No newline at end of file
+The API is currently [JSON](http://en.wikipedia.org/wiki/JSON) only.
\ No newline at end of file

From 9fca38bc9c657e62385417ece6c22ad6b865dcfc Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 16:02:03 +0200
Subject: [PATCH 36/42] remove test route

---
 lib/travis/api/app/endpoint/documentation.rb | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/lib/travis/api/app/endpoint/documentation.rb b/lib/travis/api/app/endpoint/documentation.rb
index 6e2c427e..370612cc 100644
--- a/lib/travis/api/app/endpoint/documentation.rb
+++ b/lib/travis/api/app/endpoint/documentation.rb
@@ -17,11 +17,6 @@ class Travis::Api::App
         erb :index, {}, endpoints: endpoints.keys.sort.map { |k| endpoints[k] }
       end
 
-      get '/x' do
-        content_type :html
-        general_docs
-      end
-
       helpers do
         def icon_for(verb)
           # GET, POST, PATCH, PUT, DELETE"

From 761e5dce6127a74755f012f7827912e608150f87 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 16:09:26 +0200
Subject: [PATCH 37/42] make sync private again

---
 lib/travis/api/app/endpoint/profile.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/travis/api/app/endpoint/profile.rb b/lib/travis/api/app/endpoint/profile.rb
index b8e8abad..cb27ae83 100644
--- a/lib/travis/api/app/endpoint/profile.rb
+++ b/lib/travis/api/app/endpoint/profile.rb
@@ -29,8 +29,7 @@ class Travis::Api::App
       end
 
       # TODO: Add implementation and documentation.
-      # , scope: :private
-      post '/sync' do
+      post '/sync', scope: :private do
         # raise NotImplementedError
         # sync_user(current_user)
         'ok'

From 8954eaa081b7b3c4a6449343eaf10d7c8d3c5c46 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 16:10:29 +0200
Subject: [PATCH 38/42] actually trigger sync

---
 lib/travis/api/app/endpoint/profile.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/lib/travis/api/app/endpoint/profile.rb b/lib/travis/api/app/endpoint/profile.rb
index cb27ae83..e5b62f3e 100644
--- a/lib/travis/api/app/endpoint/profile.rb
+++ b/lib/travis/api/app/endpoint/profile.rb
@@ -30,9 +30,8 @@ class Travis::Api::App
 
       # TODO: Add implementation and documentation.
       post '/sync', scope: :private do
-        # raise NotImplementedError
-        # sync_user(current_user)
-        'ok'
+        sync_user(current_user)
+        204
       end
 
       private

From b1bdbaac962311b22ffbe8e0b008c97fc0302416 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 17:11:44 +0200
Subject: [PATCH 39/42] fix typo

---
 docs/01_cross_origin.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/01_cross_origin.md b/docs/01_cross_origin.md
index cd905e83..48d52548 100644
--- a/docs/01_cross_origin.md
+++ b/docs/01_cross_origin.md
@@ -1,6 +1,6 @@
 # Web Clients
 
-When write an in-browsers client, you have to circumvent the browser's
+When writing an in-browsers client, you have to circumvent the browser's
 [same origin policy](http://en.wikipedia.org/wiki/Same_origin_policy).
 Generally, we offer two different approaches for this:
 [Cross-Origin Resource Sharing](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) (aka CORS)

From 5d908480c7170a84aebb80b0d0a0398295a207f2 Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Thu, 20 Sep 2012 17:16:12 +0200
Subject: [PATCH 40/42] moar typos

---
 docs/01_cross_origin.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/01_cross_origin.md b/docs/01_cross_origin.md
index 48d52548..6d04b543 100644
--- a/docs/01_cross_origin.md
+++ b/docs/01_cross_origin.md
@@ -1,6 +1,6 @@
 # Web Clients
 
-When writing an in-browsers client, you have to circumvent the browser's
+When writing an in-browser client, you have to circumvent the browser's
 [same origin policy](http://en.wikipedia.org/wiki/Same_origin_policy).
 Generally, we offer two different approaches for this:
 [Cross-Origin Resource Sharing](http://en.wikipedia.org/wiki/Cross-origin_resource_sharing) (aka CORS)

From d887f01e0b27bb2936bcfd929258eec92b76a9b2 Mon Sep 17 00:00:00 2001
From: Sven Fuchs <me@svenfuchs.com>
Date: Sat, 22 Sep 2012 00:48:13 +0200
Subject: [PATCH 41/42] bump deps

---
 Gemfile      |  1 +
 Gemfile.lock | 26 +++++++++-----------------
 2 files changed, 10 insertions(+), 17 deletions(-)

diff --git a/Gemfile b/Gemfile
index cd248d6b..01bb5f3a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -8,6 +8,7 @@ gem 'travis-core',    github: 'travis-ci/travis-core', branch: 'sf-more-services
 gem 'hubble',         github: 'roidrage/hubble'
 gem 'yard-sinatra',   github: 'rkh/yard-sinatra'
 gem 'gh',             github: 'rkh/gh'
+gem 'bunny'
 
 group :test do
   gem 'rspec',        '~> 2.11'
diff --git a/Gemfile.lock b/Gemfile.lock
index 464c0689..5c7e6557 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -6,7 +6,7 @@ GIT
 
 GIT
   remote: git://github.com/rkh/gh.git
-  revision: 5aa120dd493f1430fc1af9d97363daea5c4c3415
+  revision: 2f71fbbf3e159e05756ff3aeda5ba2c06f6f3f2e
   specs:
     gh (0.8.0)
       addressable
@@ -25,9 +25,10 @@ GIT
 
 GIT
   remote: git://github.com/roidrage/hubble.git
-  revision: 5220415d5542a2868d54f7be9f35fc1d66126b8e
+  revision: 8972b940a4f927927d2a4bdb250b3c98c04692a6
   specs:
     hubble (0.1.2)
+      faraday
       json (~> 1.6.5)
 
 GIT
@@ -54,7 +55,7 @@ GIT
 
 GIT
   remote: git://github.com/travis-ci/travis-support.git
-  revision: b150763d253331de9adadcb5b39f7df5efccb676
+  revision: 06844d2db558d88be775ca1cf9cfff8ec36120fb
   specs:
     travis-support (0.0.1)
 
@@ -119,8 +120,7 @@ GEM
       activesupport
     faraday (0.8.4)
       multipart-post (~> 1.1)
-    ffi (1.1.0)
-    foreman (0.53.0)
+    foreman (0.59.0)
       thor (>= 0.13.6)
     hashr (0.0.22)
     hike (1.2.1)
@@ -128,10 +128,7 @@ GEM
     i18n (0.6.1)
     journey (1.0.4)
     json (1.6.7)
-    listen (0.4.7)
-      rb-fchange (~> 0.0.5)
-      rb-fsevent (~> 0.9.1)
-      rb-inotify (~> 0.8.8)
+    listen (0.5.1)
     mail (2.4.4)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
@@ -142,7 +139,7 @@ GEM
       avl_tree (~> 1.1.2)
       hitimes (~> 1.1)
     mime-types (1.19)
-    mocha (0.12.3)
+    mocha (0.12.4)
       metaclass (~> 0.0.1)
     multi_json (1.3.6)
     multipart-post (1.1.5)
@@ -180,11 +177,6 @@ GEM
       rdoc (~> 3.4)
       thor (>= 0.14.6, < 2.0)
     rake (0.9.2.2)
-    rb-fchange (0.0.5)
-      ffi
-    rb-fsevent (0.9.1)
-    rb-inotify (0.8.8)
-      ffi (>= 0.5.0)
     rdoc (3.12)
       json (~> 1.4)
     redcarpet (2.1.1)
@@ -197,9 +189,9 @@ GEM
       rspec-expectations (~> 2.11.0)
       rspec-mocks (~> 2.11.0)
     rspec-core (2.11.1)
-    rspec-expectations (2.11.2)
+    rspec-expectations (2.11.3)
       diff-lcs (~> 1.1.3)
-    rspec-mocks (2.11.1)
+    rspec-mocks (2.11.3)
     signature (0.1.4)
     simple_states (0.1.1)
       activesupport

From 07038cd7a5426180f9c5d8497d7713439073095b Mon Sep 17 00:00:00 2001
From: Konstantin Haase <konstantin.mailinglists@googlemail.com>
Date: Sat, 22 Sep 2012 17:39:42 +0200
Subject: [PATCH 42/42] better origin check

---
 Gemfile.lock                                 |  4 +-
 lib/travis/api/app/endpoint/authorization.rb | 41 +++++++++++---------
 2 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/Gemfile.lock b/Gemfile.lock
index 464c0689..6d5b95d3 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -6,7 +6,7 @@ GIT
 
 GIT
   remote: git://github.com/rkh/gh.git
-  revision: 5aa120dd493f1430fc1af9d97363daea5c4c3415
+  revision: affde20a4fecb1023f2e7031734b9386a76d22c2
   specs:
     gh (0.8.0)
       addressable
@@ -54,7 +54,7 @@ GIT
 
 GIT
   remote: git://github.com/travis-ci/travis-support.git
-  revision: b150763d253331de9adadcb5b39f7df5efccb676
+  revision: 06844d2db558d88be775ca1cf9cfff8ec36120fb
   specs:
     travis-support (0.0.1)
 
diff --git a/lib/travis/api/app/endpoint/authorization.rb b/lib/travis/api/app/endpoint/authorization.rb
index 28e13784..f9be8f6a 100644
--- a/lib/travis/api/app/endpoint/authorization.rb
+++ b/lib/travis/api/app/endpoint/authorization.rb
@@ -42,18 +42,6 @@ class Travis::Api::App
       set prefix: '/auth'
       enable :inline_templates
 
-      configure :development, :test do
-        set :target_origins, ['*']
-      end
-
-      configure :production do
-        set :target_origins, %W[
-          https://#{Travis.config.domain}
-          https://staging.#{Travis.config.domain}
-          https://travis-ember.herokuapp.com
-        ]
-      end
-
       # Endpoint for retrieving an authorization code, which in turn can be used
       # to generate an access token.
       #
@@ -125,9 +113,10 @@ class Travis::Api::App
       # recommended to redirect to [/auth/handshake](#/auth/handshake) if no
       # token is being received.
       get '/post_message' do
-        handshake do |user, token|
+        handshake do |user, token, target_origin|
+          halt 403, invalid_target(target_origin) unless target_ok? target_origin
           rendered_user = Travis::Api.data(service(:user, user).find_one, type: :user, version: :v2)
-          post_message(token: token, user: rendered_user)
+          post_message(token: token, user: rendered_user, target_origin: target_origin)
         end
       end
 
@@ -168,7 +157,8 @@ class Travis::Api::App
           state = SecureRandom.urlsafe_base64(16)
           redis.sadd('github:states', state)
           redis.expire('github:states', 1800)
-          state << ":::" << params[:redirect_uri] if params[:redirect_uri]
+          payload = params[:origin] || params[:redirect_uri]
+          state << ":::" << payload if payload
           state
         end
 
@@ -220,17 +210,32 @@ class Travis::Api::App
           content_type :html
           erb(:post_message, locals: payload)
         end
+
+        def invalid_target(target_origin)
+          content_type :html
+          erb(:invalid_target, {}, target_origin: target_origin)
+        end
+
+        def target_ok?(target_origin)
+          target_origin =~ %r{
+            ^ http://   (localhost|127\.0\.0\.1)(:\d+)? $ |
+            ^ https://  (\w+\.)?travis-ci\.(org|com)    $
+          }x
+        end
     end
   end
 end
 
 __END__
 
+@@ invalid_target
+<script>
+alert('refusing to send a token to <%= target_origin.inspect %>, not whitelisted!');
+</script>
+
 @@ post_message
 <script>
 var payload = <%= render_json(user) %>;
 payload.token = <%= token.inspect %>;
-<% settings.target_origins.each do |target| %>
-  window.parent.postMessage(payload, <%= target.inspect %>);
-<% end %>
+window.parent.postMessage(payload, <%= target_origin.inspect %>);
 </script>