pwnified
diff --git a/‎NXOAuth2Account+Private.h
+2 b/‎NXOAuth2Account+Private.h
+2
diff --git a/‎OAuth2Client.xcodeproj/project.pbxproj
+23-10 b/‎OAuth2Client.xcodeproj/project.pbxproj
+23-10
diff --git a/‎Podfile.lock
+2-2 b/‎Podfile.lock
+2-2
diff --git a/‎README.md
+60-1 b/‎README.md
+60-1
diff --git a/‎Sources/NSString+NXOAuth2.m
+13-9 b/‎Sources/NSString+NXOAuth2.m
+13-9
diff --git a/‎Sources/NSURL+NXOAuth2.h
+2 b/‎Sources/NSURL+NXOAuth2.h
+2
diff --git a/‎Sources/NSURL+NXOAuth2.m
+48-1 b/‎Sources/NSURL+NXOAuth2.m
+48-1
diff --git a/‎Sources/OAuth2Client/NXOAuth2AccessToken.h
+8-4 b/‎Sources/OAuth2Client/NXOAuth2AccessToken.h
+8-4
@@ -21,4 +21,6 @@
 - (instancetype)initAccountWithAccessToken:(NXOAuth2AccessToken *)accessToken
                                accountType:(NSString *)accountType;
 
+@property (nonatomic, strong) NXOAuth2AccessToken *accessToken;
+
 @end
@@ -81,7 +81,6 @@
 
 /* Begin PBXFileReference section */
 		824D5A6D123F68A8001177D5 /* NXOAuth2ClientDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NXOAuth2ClientDelegate.h; sourceTree = "<group>"; };
-		83DD991B6049465CB61E135B /* Pods-OAuth2ClientTests.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-OAuth2ClientTests.xcconfig"; path = "Pods/Pods-OAuth2ClientTests.xcconfig"; sourceTree = "<group>"; };
 		9404FAC1123E3A6900397DD1 /* NXOAuth2.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NXOAuth2.h; sourceTree = "<group>"; };
 		9429B3A812267A3100D31807 /* NXOAuth2Client.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NXOAuth2Client.h; sourceTree = "<group>"; };
 		9429B3A912267A3100D31807 /* NXOAuth2Client.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = NXOAuth2Client.m; sourceTree = "<group>"; };
@@ -111,9 +110,11 @@
 		99D8A7F713852C6E00E3073C /* NSData+NXOAuth2.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "NSData+NXOAuth2.h"; sourceTree = "<group>"; };
 		99D8A7FE13852D3600E3073C /* NSData+NXOAuth2.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = "NSData+NXOAuth2.m"; sourceTree = "<group>"; };
 		99F08DE9138BE8CE002A5401 /* NXOAuth2TrustDelegate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NXOAuth2TrustDelegate.h; sourceTree = "<group>"; };
+		A584AA53216FADEE87202521 /* Pods-OAuth2ClientTests.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-OAuth2ClientTests.release.xcconfig"; path = "Pods/Target Support Files/Pods-OAuth2ClientTests/Pods-OAuth2ClientTests.release.xcconfig"; sourceTree = "<group>"; };
 		AA747D9E0F9514B9006C5449 /* OAuth2Client_Prefix.pch */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OAuth2Client_Prefix.pch; sourceTree = "<group>"; };
 		AACBBE490F95108600F1A2B1 /* Foundation.framework */ = {isa = PBXFileReference; lastKnownFileType = wrapper.framework; name = Foundation.framework; path = System/Library/Frameworks/Foundation.framework; sourceTree = SDKROOT; };
 		B9E2089E9E7941B7AF3D27AA /* libPods-OAuth2ClientTests.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-OAuth2ClientTests.a"; sourceTree = BUILT_PRODUCTS_DIR; };
+		CCCB476CC96A52415E9D44D3 /* Pods-OAuth2ClientTests.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-OAuth2ClientTests.debug.xcconfig"; path = "Pods/Target Support Files/Pods-OAuth2ClientTests/Pods-OAuth2ClientTests.debug.xcconfig"; sourceTree = "<group>"; };
 		D2AAC07E0554694100DB518D /* libOAuth2Client.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = libOAuth2Client.a; sourceTree = BUILT_PRODUCTS_DIR; };
 		F6525B4313D593C900ACAE8F /* NXOAuth2Account+Private.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = "NXOAuth2Account+Private.h"; sourceTree = SOURCE_ROOT; };
 		F65713CC13CC87FD00C8A33A /* NXOAuth2AccountStore.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = NXOAuth2AccountStore.h; sourceTree = "<group>"; };
@@ -167,7 +168,7 @@
 				0867D69AFE84028FC02AAC07 /* Frameworks */,
 				034768DFFF38A50411DB9C8B /* Products */,
 				942FFCDE12315E2E00E6C65E /* Resources */,
-				83DD991B6049465CB61E135B /* Pods-OAuth2ClientTests.xcconfig */,
+				B061851D30896FF145B69FB5 /* Pods */,
 			);
 			name = OAuth2Client;
 			sourceTree = "<group>";
@@ -261,6 +262,15 @@
 			path = Tests;
 			sourceTree = "<group>";
 		};
+		B061851D30896FF145B69FB5 /* Pods */ = {
+			isa = PBXGroup;
+			children = (
+				CCCB476CC96A52415E9D44D3 /* Pods-OAuth2ClientTests.debug.xcconfig */,
+				A584AA53216FADEE87202521 /* Pods-OAuth2ClientTests.release.xcconfig */,
+			);
+			name = Pods;
+			sourceTree = "<group>";
+		};
 		F6E1A11313D7128100B6DAC3 /* Private */ = {
 			isa = PBXGroup;
 			children = (
@@ -380,18 +390,19 @@
 		0867D690FE84028FC02AAC07 /* Project object */ = {
 			isa = PBXProject;
 			attributes = {
-				LastUpgradeCheck = 1110;
+				LastUpgradeCheck = 1200;
 				ORGANIZATIONNAME = nxtbgthng;
 			};
 			buildConfigurationList = 1DEB922208733DC00010E9CD /* Build configuration list for PBXProject "OAuth2Client" */;
 			compatibilityVersion = "Xcode 3.2";
-			developmentRegion = English;
+			developmentRegion = en;
 			hasScannedForEncodings = 1;
 			knownRegions = (
-				English,
-				Japanese,
-				French,
-				German,
+				Base,
+				ja,
+				de,
+				fr,
+				en,
 			);
 			mainGroup = 0867D691FE84028FC02AAC07 /* OAuth2Client */;
 			productRefGroup = 034768DFFF38A50411DB9C8B /* Products */;
@@ -473,7 +484,6 @@
 				GCC_THUMB_SUPPORT = NO;
 				GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
 				INSTALL_PATH = /usr/local/lib;
-				IPHONEOS_DEPLOYMENT_TARGET = 8.0;
 				PRODUCT_NAME = OAuth2Client;
 				SDKROOT = iphoneos;
 				SKIP_INSTALL = YES;
@@ -492,7 +502,6 @@
 				GCC_THUMB_SUPPORT = NO;
 				GCC_VERSION = com.apple.compilers.llvm.clang.1_0;
 				INSTALL_PATH = /usr/local/lib;
-				IPHONEOS_DEPLOYMENT_TARGET = 8.0;
 				PRODUCT_NAME = OAuth2Client;
 				SDKROOT = iphoneos;
 				SKIP_INSTALL = YES;
@@ -515,6 +524,7 @@
 				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
 				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
 				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
+				CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
 				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
 				CLANG_WARN_STRICT_PROTOTYPES = YES;
 				CLANG_WARN_SUSPICIOUS_MOVE = YES;
@@ -531,6 +541,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
+				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				MACOSX_DEPLOYMENT_TARGET = 10.7;
 				ONLY_ACTIVE_ARCH = YES;
 				OTHER_LDFLAGS = "-ObjC";
@@ -553,6 +564,7 @@
 				CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES;
 				CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES;
 				CLANG_WARN_OBJC_LITERAL_CONVERSION = YES;
+				CLANG_WARN_QUOTED_INCLUDE_IN_FRAMEWORK_HEADER = YES;
 				CLANG_WARN_RANGE_LOOP_ANALYSIS = YES;
 				CLANG_WARN_STRICT_PROTOTYPES = YES;
 				CLANG_WARN_SUSPICIOUS_MOVE = YES;
@@ -567,6 +579,7 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
+				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
 				MACOSX_DEPLOYMENT_TARGET = 10.7;
 				OTHER_CFLAGS = "-DNS_BLOCK_ASSERTIONS=1";
 				OTHER_LDFLAGS = "-ObjC";
 
@@ -2,7 +2,7 @@ PODS:
   - Expecta (0.3.1)
   - OCMock (3.1.1)
   - OHHTTPStubs (3.1.5):
-    - OHHTTPStubs/Core
+    - OHHTTPStubs/Core (= 3.1.5)
   - OHHTTPStubs/Core (3.1.5)
   - Specta (0.2.1)
 
@@ -18,4 +18,4 @@ SPEC CHECKSUMS:
   OHHTTPStubs: c1e362552b71b81e1deb7a80f44c51585b946c43
   Specta: 9141310f46b1f68b676650ff2854e1ed0b74163a
 
-COCOAPODS: 0.33.1
+COCOAPODS: 0.36.1
@@ -80,6 +80,19 @@ The best place to configure your client is `+[UIApplicationDelegate initialize]`
 
 Take a look at the [Wiki](https://github.com/nxtbgthng/OAuth2Client/wiki) for some examples.
 
+Unless otherwise specficied, the token request will be called with a HTTP Header 'Content-Type' set to 'multipart/form-data'.  If you wish that header to be set to 'application/x-www-form-urlencoded', the custom header fields must be modified.
+
+<pre>
+NSMutableDictionary *configuration = [NSMutableDictionary dictionaryWithDictionary:[[NXOAuth2AccountStore sharedStore] configurationForAccountType:kOAuth2AccountType]];
+NSDictionary *customHeaderFields = [NSDictionary dictionaryWithObject:@"application/x-www-form-urlencoded" forKey:@"Content-Type"];
+[configuration setObject:customHeaderFields forKey:kNXOAuth2AccountStoreConfigurationCustomHeaderFields];
+[[NXOAuth2AccountStore sharedStore] setConfiguration:configuration forAccountType:kOAuth2AccountType];
+</pre>
+  
+Consult the documentation of the OAuth2 provider to determine acceptable Content-Type header values. 
+
+    
+
 ### Requesting Access to a Service
 
 Once you have configured your client you are ready to request access to one of those services. The NXOAuth2AccountStore provides three different methods for this:
@@ -96,7 +109,12 @@ Once you have configured your client you are ready to request access to one of t
  [[NXOAuth2AccountStore sharedStore] requestAccessToAccountWithType:@"myFancyService"];
  </pre>
 
- If you are using an external browser, your application needs to handle the URL you have registered as an redirect URL for the account type. The service will redirect to that URL after the authentication process.
+ If you are using an external browser, your application needs to handle the URL you have registered as an redirect URL for the account type (e.g. a custom URL scheme like `myfancyscheme://oauth`). The service will redirect to that URL after the authentication process.
+ 
+ In `-[AppDelegate application: openURL: sourceApplication: annotation:]` pass the redirect URL to
+ <pre>
+     [[NXOAuth2AccountStore sharedStore] handleRedirectURL: url];
+ </pre>
 
 - Provide an Authorization URL Handler
  <pre>
@@ -106,6 +124,24 @@ Once you have configured your client you are ready to request access to one of t
  	                            }];
  </pre>
  Using an authorization URL handler gives you the ability to open the URL in an own web view or do some fancy stuff for authentication. Therefore you pass a block to the NXOAuth2AccountStore while requesting access.
+ 
+ One method for receiving a code and exchanging it for an auth token requires the following:
+ 
+  1) Load the preparedURL into an existing UIWebView as part of the block code above. Be certain to set the delegate for the UIWebView.
+  
+ <pre>
+ [_webView loadRequest:[NSURLRequest requestWithURL:preparedURL]];
+ </pre>
+ 
+  2) In the `webViewDidFinishLoad:` delegate method, you will need to parse the URL for your callback URL.  If there is a match, pass that URL to `-[NXOAuth2AccountStore handleRedirectURL:]`
+
+ <pre>
+ if ([webView.request.URL.absoluteString rangeOfString:kOAuth2RedirectURL options:NSCaseInsensitiveSearch].location != NSNotFound) {
+        [[NXOAuth2AccountStore sharedStore] handleRedirectURL:[NSURL URLWithString:webView.request.URL.absoluteString]];        
+    }
+</pre>   
+
+This is a very basic example.  In the above, it is assumed that the `code` being returned from the OAuth2 provider is in the query parameter of the webView.request.URL (i.e. `http://myredirecturl.com?code=<verylongcodestring>`).  This is not always the case and you may have to look elsewhere for the code (e.g. in the page content, web page title).  You must prepare a URL in the format described above to pass to `-[NXOAuth2AccountStore handleRedirectURL:]`.
 
 #### On Success
 
@@ -159,6 +195,29 @@ account.userData = userData;
 
 This payload will be stored together with the accounts in the Keychain. Thus it shouldn't be too big.
 
+### Removing Accounts
+
+To remove an account and its tokens from the store:
+
+<pre>
+[[NXOAuth2AccountStore sharedStore]  removeAccount:account];
+</pre>
+
+Note that if you used a UIWebView to request access to a service as described above, it's likely that the token has been cached in `[NSHTTPCookieStorage sharedHTTPCookieStorage]`
+
+You can remove the auth token from the cookie cache using:
+
+<pre>
+for(NSHTTPCookie *cookie in [[NSHTTPCookieStorage sharedHTTPCookieStorage] cookies]) {
+    if([[cookie domain] isEqualToString:@"myapp.com"]) {
+        [[NSHTTPCookieStorage sharedHTTPCookieStorage] deleteCookie:cookie];
+    }
+}
+[[NSUserDefaults standardUserDefaults] synchronize];
+</pre>
+
+Where `myapp.com` is the domain from which you received the auth token -- likley the `authorizationURL` assigned to the store at the time of request.  As a convenience, you may want to store the domain of the token in the `account.userData` so that it is readily available if you need to delete the cookies.
+
 ### Invoking a Request
 
 A request using the authentication for a service can be invoked via `NXOAuth2Request`. The most convenient method (see below) is a class method which you pass the method, a resource and some parameters (or nil) for the request and to handlers (both optional). One for a progress and the other for the response. The account is used for authentication and can be nil. Then a normal request without authentication will be invoked.
 
@@ -58,19 +58,23 @@ - (NSDictionary *)nxoauth2_parametersFromEncodedQueryString;
 
 - (NSString *)nxoauth2_URLEncodedString;
 {
-    return (__bridge_transfer NSString *) CFURLCreateStringByAddingPercentEscapes(kCFAllocatorDefault, //Allocator
-                                                                                  (__bridge CFStringRef)self, //Original String
-                                                                                  NULL, //Characters to leave unescaped
-                                                                                  CFSTR("!*'();:@&=+$,/?%#[]"), //Legal Characters to be escaped
-                                                                                  kCFStringEncodingUTF8); //Encoding
+	return [self stringByAddingPercentEncodingWithAllowedCharacters:[NSCharacterSet characterSetWithCharactersInString:@"!*'();:@&=+$,/?%#[]"].invertedSet];
+
+//    return (__bridge_transfer NSString *) CFURLCreateStringByAddingPercentEscapes(kCFAllocatorDefault, //Allocator
+//                                                                                  (__bridge CFStringRef)self, //Original String
+//                                                                                  NULL, //Characters to leave unescaped
+//                                                                                  CFSTR("!*'();:@&=+$,/?%#[]"), //Legal Characters to be escaped
+//                                                                                  kCFStringEncodingUTF8); //Encoding
 }
 
 - (NSString *)nxoauth2_URLDecodedString;
 {
-    return (__bridge_transfer NSString *) CFURLCreateStringByReplacingPercentEscapesUsingEncoding(kCFAllocatorDefault,
-                                                                                                  (__bridge CFStringRef)self,
-                                                                                                  CFSTR(""),
-                                                                                                  kCFStringEncodingUTF8);
+	return [self stringByRemovingPercentEncoding];
+
+//    return (__bridge_transfer NSString *) CFURLCreateStringByReplacingPercentEscapesUsingEncoding(kCFAllocatorDefault,
+//                                                                                                  (__bridge CFStringRef)self,
+//                                                                                                  CFSTR(""),
+//                                                                                                  kCFStringEncodingUTF8);
 }
 
 @end
@@ -26,4 +26,6 @@
 - (NSURL *)nxoauth2_URLWithoutQueryString;
 - (NSString *)nxoauth2_URLStringWithoutQueryString;
 
+- (NSError*) nxoauth2_redirectURLError;
+
 @end
@@ -14,7 +14,7 @@
 #import "NSString+NXOAuth2.h"
 
 #import "NSURL+NXOAuth2.h"
-
+#import "NXOAuth2Constants.h"
 
 @implementation NSURL (NXOAuth2)
 
@@ -62,4 +62,51 @@ - (NSString *)nxoauth2_URLStringWithoutQueryString;
     return [parts objectAtIndex:0];
 }
 
+- (NSError*) nxoauth2_redirectURLError
+{
+    NSURL* redirectURL = self;
+    NSInteger errorCode = 0;
+    NSDictionary *userInfo = nil;
+    NSString *errorString = [redirectURL nxoauth2_valueForQueryParameterKey:@"error"];
+    if (errorString) {
+        NSString *localizedError = nil;
+        
+        if ([errorString caseInsensitiveCompare:@"invalid_request"] == NSOrderedSame) {
+            errorCode = NXOAuth2InvalidRequestErrorCode;
+            localizedError = NSLocalizedString(@"Invalid request to OAuth2 Server", @"NXOAuth2InvalidRequestErrorCode description");
+            
+        } else if ([errorString caseInsensitiveCompare:@"invalid_client"] == NSOrderedSame) {
+            errorCode = NXOAuth2InvalidClientErrorCode;
+            localizedError = NSLocalizedString(@"Invalid OAuth2 Client", @"NXOAuth2InvalidClientErrorCode description");
+            
+        } else if ([errorString caseInsensitiveCompare:@"unauthorized_client"] == NSOrderedSame) {
+            errorCode = NXOAuth2UnauthorizedClientErrorCode;
+            localizedError = NSLocalizedString(@"Unauthorized Client", @"NXOAuth2UnauthorizedClientErrorCode description");
+            
+        } else if ([errorString caseInsensitiveCompare:@"redirect_uri_mismatch"] == NSOrderedSame) {
+            errorCode = NXOAuth2RedirectURIMismatchErrorCode;
+            localizedError = NSLocalizedString(@"Redirect URI mismatch", @"NXOAuth2RedirectURIMismatchErrorCode description");
+            
+        } else if ([errorString caseInsensitiveCompare:@"access_denied"] == NSOrderedSame) {
+            errorCode = NXOAuth2AccessDeniedErrorCode;
+            localizedError = NSLocalizedString(@"Access denied", @"NXOAuth2AccessDeniedErrorCode description");
+            
+        } else if ([errorString caseInsensitiveCompare:@"unsupported_response_type"] == NSOrderedSame) {
+            errorCode = NXOAuth2UnsupportedResponseTypeErrorCode;
+            localizedError = NSLocalizedString(@"Unsupported response type", @"NXOAuth2UnsupportedResponseTypeErrorCode description");
+            
+        } else if ([errorString caseInsensitiveCompare:@"invalid_scope"] == NSOrderedSame) {
+            errorCode = NXOAuth2InvalidScopeErrorCode;
+            localizedError = NSLocalizedString(@"Invalid scope", @"NXOAuth2InvalidScopeErrorCode description");
+        }
+        
+        if (localizedError) {
+            userInfo = [NSDictionary dictionaryWithObject:localizedError forKey:NSLocalizedDescriptionKey];
+        }
+    }
+    return [NSError errorWithDomain:NXOAuth2ErrorDomain
+                               code:errorCode
+                           userInfo:userInfo];
+}
+
 @end
@@ -66,10 +66,14 @@
 
 #pragma mark Keychain Support
 
-//TODO: Support alternate KeyChain Locations
+//MIGHTDO: Support alternate KeyChain Locations
++ (instancetype)tokenFromDefaultKeychainWithServiceProviderName:(NSString *)provider
+                                         withAccessGroup:(NSString *)accessGroup;
 
-+ (instancetype)tokenFromDefaultKeychainWithServiceProviderName:(NSString *)provider;
-- (void)storeInDefaultKeychainWithServiceProviderName:(NSString *)provider;
-- (void)removeFromDefaultKeychainWithServiceProviderName:(NSString *)provider;
+- (void)storeInDefaultKeychainWithServiceProviderName:(NSString *)provider
+                               withAccessGroup:(NSString *)accessGroup;
+
+- (void)removeFromDefaultKeychainWithServiceProviderName:(NSString *)provider
+                                  withAccessGroup:(NSString *)accessGroup;
 
 @end