doorkeeper-mongodb 4.1.0 → 4.2.0

data/spec/dummy/tmp/cache/assets/sprockets/v3.0/{ta/taYouTiRnSIHwA3iNj6mcoN57fxG6-AcZRBxXnoZA6A.cache → 3R/3R0IlALSataFe0QXquFlLgPkS12rgPAHsrnaCNZcP5E.cache}

@@ -1 +1 @@
-I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/app/assets/stylesheets/doorkeeper/application.css?type=text/css&pipeline=self&id=f4b96ba5417e205c1c44db290662b52c49795c768126b78337c466c871a39c34:ET
+I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/app/assets/stylesheets/doorkeeper/application.css?type=text/css&pipeline=self&id=b2c6260117a362189887859543d86381736f0f1e20635ff6d55612e4247e326a:ET

data/spec/dummy/tmp/cache/assets/sprockets/v3.0/{Wz/WzU5ImvcBYPRRo1bDcUoMBnYvMHElmP1WmpSoWFGrIA.cache → IZ/IZF3X64f5MivAUq6IkvkQkPKxa06jCGI94vN_imFwv8.cache}

@@ -1 +1 @@
-I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/app/assets/stylesheets/doorkeeper/application.css?type=text/css&id=cbc2326f499a8551d3db0c4aa97a8824202d1f1ac295f50e3defa56e042ca94c:ET
+I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/app/assets/stylesheets/doorkeeper/application.css?type=text/css&id=2b4f1a012376fe8df9bad1ef9d1f17322a7d2eea251cfbb256abee7b2be1aa2b:ET

data/spec/dummy/tmp/cache/assets/sprockets/v3.0/{T9/T9SRvIirztZ2z-NS27p6uDCnS-SfsrqePihCkC7Z0bo.cache → r2/r2BLffvW211dRKmFTSEtrrxY9mgSpAbJvAMYgffd0Wo.cache}

@@ -1 +1 @@
-I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/app/assets/stylesheets/doorkeeper/admin/application.css?type=text/css&id=294b60282f08e4364e1ef6f923e8031876e06270421d6ceb4a0a37f700d4d567:ET
+I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/app/assets/stylesheets/doorkeeper/admin/application.css?type=text/css&id=7a99826ec09d953cd0659f6b3f999512519f4d6e3670f951c04ed582ffc92520:ET

data/spec/dummy/tmp/cache/assets/sprockets/v3.0/{7B/7BQrqCAX5USU9CPwXaBgC9o5N8slSgZi8nbDPdXZWy4.cache → rO/rOJ5Qletb3Q5P_zAPve6Pb0AZLvUfqhr8eTmIMHhTjE.cache}

@@ -1 +1 @@
-I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/app/assets/stylesheets/doorkeeper/admin/application.css?type=text/css&pipeline=self&id=36bb2174827753889f2fd19280eded5dbc7d4e0c4ae9e9c5f869cb5dfd00d31f:ET
+I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/app/assets/stylesheets/doorkeeper/admin/application.css?type=text/css&pipeline=self&id=5dd6dfc621fb6aa8db94bad97ddf0700adfaa6f5f98a8a26b7c25822036b070d:ET

data/spec/dummy/tmp/cache/assets/sprockets/v3.0/{Mc/Mc82fixkCIrNkzovtrFyWVaxz_YMs_0nB0z2aUfm1k4.cache → wy/wy1q9jo24sJvPLH8a36mvtxEc8mWcEevN1zuAo-AJHg.cache}

@@ -1 +1 @@
-I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css?type=text/css&pipeline=self&id=1163952fc3e6a5ef3074948d03b7344741db14c5f67d4bd042622360ac4413e4:ET
+I"
�/home/bulaj/projects/gems/doorkeeper-mongodb/doorkeeper/vendor/assets/stylesheets/doorkeeper/bootstrap.min.css?type=text/css&pipeline=self&id=0280591bce4b097f9b7bbf8290c8c59904fd3d9ed44066e86d9cc6f99a562a88:ET

data/spec/lib/config_spec.rb

@@ -162,6 +162,31 @@ describe Doorkeeper, 'configuration' do
     end
   end
 
+  describe 'opt_out_native_route_change' do
+    around(:each) do |example|
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        opt_out_native_route_change
+      end
+
+      Rails.application.reload_routes!
+
+      subject { Doorkeeper.configuration }
+
+      example.run
+
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+      end
+
+      Rails.application.reload_routes!
+    end
+
+    it 'sets the native authorization code route /:code' do
+      expect(subject.native_authorization_code_route).to eq('/:code')
+    end
+  end
+
   describe 'client_credentials' do
     it 'has defaults order' do
       expect(subject.client_credentials_methods).to eq([:from_basic, :from_params])

data/spec/lib/oauth/authorization_code_request_spec.rb

@@ -81,9 +81,9 @@ module Doorkeeper::OAuth
       expect { subject.authorize }.to_not change { Doorkeeper::AccessToken.count }
     end
 
-    it "calls BaseRequest callback methods" do
-      expect_any_instance_of(BaseRequest).to receive(:before_successful_response).once
-      expect_any_instance_of(BaseRequest).to receive(:after_successful_response).once
+    it "calls configured request callback methods" do
+      expect(Doorkeeper.configuration.before_successful_strategy_response).to receive(:call).with(subject).once
+      expect(Doorkeeper.configuration.after_successful_strategy_response).to receive(:call).with(subject, instance_of(Doorkeeper::OAuth::TokenResponse)).once
       subject.authorize
     end
 
@@ -104,5 +104,20 @@ module Doorkeeper::OAuth
         expect(subject.error).to eq(:invalid_grant)
       end
     end
+
+    context "when redirect_uri is the native one" do
+      let(:redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
+
+      it "invalidates when redirect_uri of the grant is not native" do
+        subject.validate
+        expect(subject.error).to eq(:invalid_grant)
+      end
+
+      it "validates when redirect_uri of the grant is also native" do
+        allow(grant).to receive(:redirect_uri) { redirect_uri }
+        subject.validate
+        expect(subject.error).to eq(nil)
+      end
+    end
   end
 end

data/spec/lib/oauth/client/credentials_spec.rb

@@ -7,9 +7,11 @@ class Doorkeeper::OAuth::Client
     let(:client_id) { 'some-uid' }
     let(:client_secret) { 'some-secret' }
 
-    it 'is blank when any of the credentials is blank' do
+    it 'is blank when the uid in credentials is blank' do
+      expect(Credentials.new(nil, nil)).to be_blank
       expect(Credentials.new(nil, 'something')).to be_blank
-      expect(Credentials.new('something', nil)).to be_blank
+      expect(Credentials.new('something', nil)).to be_present
+      expect(Credentials.new('something', 'something')).to be_present
     end
 
     describe :from_request do

data/spec/lib/oauth/helpers/uri_checker_spec.rb

@@ -5,6 +5,11 @@ require 'doorkeeper/oauth/helpers/uri_checker'
 module Doorkeeper::OAuth::Helpers
   describe URIChecker do
     describe '.valid?' do
+      it 'is valid for native uris' do
+        uri = 'urn:ietf:wg:oauth:2.0:oob'
+        expect(URIChecker.valid?(uri)).to be_truthy
+      end
+
       it 'is valid for valid uris' do
         uri = 'http://app.co'
         expect(URIChecker.valid?(uri)).to be_truthy
@@ -69,6 +74,44 @@ module Doorkeeper::OAuth::Helpers
         client_uri = 'http://example.com?app.co=test'
         expect(URIChecker.matches?(uri, client_uri)).to be_falsey
       end
+
+      context "client registered query params" do
+        it "doesn't allow query being absent" do
+          uri = 'http://app.co'
+          client_uri = 'http://app.co/?vendorId=AJ4L7XXW9'
+          expect(URIChecker.matches?(uri, client_uri)).to be_falsey
+        end
+
+        it "is false if query values differ but key same" do
+          uri = 'http://app.co/?vendorId=pancakes'
+          client_uri = 'http://app.co/?vendorId=waffles'
+          expect(URIChecker.matches?(uri, client_uri)).to be_falsey
+        end
+
+        it "is false if query values same but key differs" do
+          uri = 'http://app.co/?foo=pancakes'
+          client_uri = 'http://app.co/?bar=pancakes'
+          expect(URIChecker.matches?(uri, client_uri)).to be_falsey
+        end
+
+        it "is false if query present and match, but unknown queries present" do
+          uri = 'http://app.co/?vendorId=pancakes&unknown=query'
+          client_uri = 'http://app.co/?vendorId=waffles'
+          expect(URIChecker.matches?(uri, client_uri)).to be_falsey
+        end
+
+        it "is true if queries are present and matche" do
+          uri = 'http://app.co/?vendorId=AJ4L7XXW9&foo=bar'
+          client_uri = 'http://app.co/?vendorId=AJ4L7XXW9&foo=bar'
+          expect(URIChecker.matches?(uri, client_uri)).to be_truthy
+        end
+
+        it "is true if queries are present, match and in different order" do
+          uri = 'http://app.co/?bing=bang&foo=bar'
+          client_uri = 'http://app.co/?foo=bar&bing=bang'
+          expect(URIChecker.matches?(uri, client_uri)).to be_truthy
+        end
+      end
     end
 
     describe '.valid_for_authorization?' do
@@ -101,9 +144,75 @@ module Doorkeeper::OAuth::Helpers
       end
 
       it 'is false if invalid' do
-        uri = client_uri = 'http://app.co/aaa?waffles=abc'
+        uri = 'http://app.co/aaa?pankcakes=abc'
+        client_uri = 'http://app.co/aaa?waffles=abc'
         expect(URIChecker.valid_for_authorization?(uri, client_uri)).to be false
       end
+
+      it 'calls .matches?' do
+        uri = 'http://app.co/aaa?pankcakes=abc'
+        client_uri = 'http://app.co/aaa?waffles=abc'
+        expect(URIChecker).to receive(:matches?).with(uri, client_uri).once
+        URIChecker.valid_for_authorization?(uri, client_uri)
+      end
+
+      it 'calls .valid?' do
+        uri = 'http://app.co/aaa?pankcakes=abc'
+        client_uri = 'http://app.co/aaa?waffles=abc'
+        expect(URIChecker).to receive(:valid?).with(uri).once
+        URIChecker.valid_for_authorization?(uri, client_uri)
+      end
+    end
+
+    describe '.query_matches?' do
+      it 'is true if no queries' do
+        expect(URIChecker.query_matches?('', '')).to be_truthy
+        expect(URIChecker.query_matches?(nil, nil)).to be_truthy
+      end
+
+      it 'is true if same query' do
+        expect(URIChecker.query_matches?('foo', 'foo')).to be_truthy
+      end
+
+      it 'is false if different query' do
+        expect(URIChecker.query_matches?('foo', 'bar')).to be_falsey
+      end
+
+      it 'is true if same queries' do
+        expect(URIChecker.query_matches?('foo&bar', 'foo&bar')).to be_truthy
+      end
+
+      it 'is true if same queries, different order' do
+        expect(URIChecker.query_matches?('foo&bar', 'bar&foo')).to be_truthy
+      end
+
+      it 'is false if one different query' do
+        expect(URIChecker.query_matches?('foo&bang', 'foo&bing')).to be_falsey
+      end
+
+      it 'is true if same query with same value' do
+        expect(URIChecker.query_matches?('foo=bar', 'foo=bar')).to be_truthy
+      end
+
+      it 'is true if same queries with same values' do
+        expect(URIChecker.query_matches?('foo=bar&bing=bang', 'foo=bar&bing=bang')).to be_truthy
+      end
+
+      it 'is true if same queries with same values, different order' do
+        expect(URIChecker.query_matches?('foo=bar&bing=bang', 'bing=bang&foo=bar')).to be_truthy
+      end
+
+      it 'is false if same query with different value' do
+        expect(URIChecker.query_matches?('foo=bar', 'foo=bang')).to be_falsey
+      end
+
+      it 'is false if some queries missing' do
+        expect(URIChecker.query_matches?('foo=bar', 'foo=bar&bing=bang')).to be_falsey
+      end
+
+      it 'is false if some queries different value' do
+        expect(URIChecker.query_matches?('foo=bar&bing=bang', 'foo=bar&bing=banana')).to be_falsey
+      end
     end
   end
 end

data/spec/lib/oauth/password_access_token_request_spec.rb

@@ -67,9 +67,9 @@ module Doorkeeper::OAuth
       end.to_not change { Doorkeeper::AccessToken.count }
     end
 
-    it "calls BaseRequest callback methods" do
-      expect_any_instance_of(BaseRequest).to receive(:before_successful_response).once
-      expect_any_instance_of(BaseRequest).to receive(:after_successful_response).once
+    it "calls configured request callback methods" do
+      expect(Doorkeeper.configuration.before_successful_strategy_response).to receive(:call).with(subject).once
+      expect(Doorkeeper.configuration.after_successful_strategy_response).to receive(:call).with(subject, instance_of(Doorkeeper::OAuth::TokenResponse)).once
       subject.authorize
     end
 

data/spec/lib/oauth/pre_authorization_spec.rb

@@ -123,14 +123,19 @@ module Doorkeeper::OAuth
       expect(subject.scopes).to eq(Scopes.from_string('default'))
     end
 
-    it 'accepts test uri' do
-      subject.redirect_uri = 'urn:ietf:wg:oauth:2.0:oob'
-      expect(subject).to be_authorizable
-    end
+    context 'with native redirect uri' do
+      let(:native_redirect_uri) { 'urn:ietf:wg:oauth:2.0:oob' }
 
-    it 'matches the redirect uri against client\'s one' do
-      subject.redirect_uri = 'http://nothesame.com'
-      expect(subject).not_to be_authorizable
+      it 'accepts redirect_uri when it matches with the client' do
+        subject.redirect_uri = native_redirect_uri
+        allow(subject.client).to receive(:redirect_uri) { native_redirect_uri }
+        expect(subject).to be_authorizable
+      end
+
+      it 'invalidates redirect_uri when it does\'n match with the client' do
+        subject.redirect_uri = native_redirect_uri
+        expect(subject).not_to be_authorizable
+      end
     end
 
     it 'stores the state' do

data/spec/lib/oauth/refresh_token_request_spec.rb

@@ -44,9 +44,9 @@ module Doorkeeper::OAuth
       expect { subject.authorize }.to change { refresh_token.revoked? }.from(false).to(true)
     end
 
-    it "calls BaseRequest callback methods" do
-      expect_any_instance_of(BaseRequest).to receive(:before_successful_response).once
-      expect_any_instance_of(BaseRequest).to receive(:after_successful_response).once
+    it "calls configured request callback methods" do
+      expect(Doorkeeper.configuration.before_successful_strategy_response).to receive(:call).with(subject).once
+      expect(Doorkeeper.configuration.after_successful_strategy_response).to receive(:call).with(subject, instance_of(Doorkeeper::OAuth::TokenResponse)).once
       subject.authorize
     end
 

data/spec/models/doorkeeper/application_spec.rb

@@ -49,6 +49,11 @@ module Doorkeeper
       expect(new_application).not_to be_valid
     end
 
+    it 'is invalid without determining confidentiality' do
+      new_application.confidential = nil
+      expect(new_application).not_to be_valid
+    end
+
     it 'generates uid on create' do
       expect(new_application.uid).to be_nil
       new_application.save
@@ -201,11 +206,97 @@ module Doorkeeper
       end
     end
 
-    describe :authenticate do
-      it 'finds the application via uid/secret' do
-        app = FactoryBot.create :application
-        authenticated = Application.by_uid_and_secret(app.uid, app.secret)
-        expect(authenticated).to eq(app)
+    describe :by_uid_and_secret do
+      context "when application is private/confidential" do
+        it "finds the application via uid/secret" do
+          app = FactoryBot.create :application
+          authenticated = Application.by_uid_and_secret(app.uid, app.secret)
+          expect(authenticated).to eq(app)
+        end
+        context "when secret is wrong" do
+          it "should not find the application" do
+            app = FactoryBot.create :application
+            authenticated = Application.by_uid_and_secret(app.uid, 'bad')
+            expect(authenticated).to eq(nil)
+          end
+        end
+      end
+
+      context "when application is public/non-confidential" do
+        context "when secret is blank" do
+          it "should find the application" do
+            app = FactoryBot.create :application, confidential: false
+            authenticated = Application.by_uid_and_secret(app.uid, nil)
+            expect(authenticated).to eq(app)
+          end
+        end
+        context "when secret is wrong" do
+          it "should not find the application" do
+            app = FactoryBot.create :application, confidential: false
+            authenticated = Application.by_uid_and_secret(app.uid, 'bad')
+            expect(authenticated).to eq(nil)
+          end
+        end
+      end
+    end
+
+    describe :confidential? do
+      subject { FactoryBot.create(:application, confidential: confidential).confidential? }
+
+      context 'when application is private/confidential' do
+        let(:confidential) { true }
+        it { expect(subject).to eq(true) }
+      end
+
+      context 'when application is public/non-confidential' do
+        let(:confidential) { false }
+        it { expect(subject).to eq(false) }
+      end
+    end
+
+    describe :confidential do
+      subject { FactoryBot.create(:application, confidential: confidential).confidential }
+
+      context 'when application is private/confidential' do
+        let(:confidential) { true }
+        it { expect(subject).to eq(true) }
+      end
+
+      context 'when application is public/non-confidential' do
+        let(:confidential) { false }
+        it { expect(subject).to eq(false) }
+      end
+
+      context 'when the application does not support confidentiality' do
+        let(:confidential) { false }
+
+        before { allow(Application).to receive(:supports_confidentiality?).and_return(false) }
+
+        it 'warns of the CVE' do
+          expect(ActiveSupport::Deprecation).to receive(:warn).with(
+            'You are susceptible to security bug ' \
+            'CVE-2018-1000211. Please follow instructions outlined in ' \
+            'Doorkeeper::CVE_2018_1000211_WARNING'
+          )
+          Application.new.confidential
+        end
+
+        it { expect(subject).to eq(true) }
+      end
+    end
+
+    describe :supports_confidentiality? do
+      context 'when no column' do
+        it 'returns false' do
+          expect(Application).to receive(:column_names).and_return(%w[foo bar])
+          expect(Application.supports_confidentiality?).to eq(false)
+        end
+      end
+      context 'when column' do
+        it 'returns true' do
+          expect(Application).to receive(:column_names).and_return(%w[foo bar confidential])
+          expect(Application.supports_confidentiality?).to eq(true)
+        end
       end
     end
   end

data/spec/requests/flows/authorization_code_spec.rb

@@ -53,7 +53,7 @@ feature 'Authorization Code Flow' do
     should_not_have_json 'error'
 
     should_have_json 'access_token', Doorkeeper::AccessToken.first.token
-    should_have_json 'token_type', 'bearer'
+    should_have_json 'token_type', 'Bearer'
     should_have_json_within 'expires_in', Doorkeeper::AccessToken.first.expires_in, 1
   end
 

data/spec/requests/flows/password_spec.rb

@@ -10,46 +10,89 @@ describe 'Resource Owner Password Credentials Flow not set up' do
     it 'doesn\'t issue new token' do
       expect do
         post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 end
 
 describe 'Resource Owner Password Credentials Flow' do
+  let(:client_attributes) { {} }
+
   before do
     config_is_set(:grant_flows, ["password"])
     config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-    client_exists
+    client_exists(client_attributes)
     create_resource_owner
   end
 
   context 'with valid user credentials' do
-    it 'should issue new token with confidential client' do
-      expect do
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+    context "with non-confidential/public client" do
+      let(:client_attributes) { { confidential: false } }
 
-      token = Doorkeeper::AccessToken.first
+      context "when client_secret absent" do
+        it "should issue new token" do
+          expect do
+            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
 
-      expect(token.application_id).to eq @client.id
-      should_have_json 'access_token', token.token
+          token = Doorkeeper::AccessToken.first
+
+          expect(token.application_id).to eq @client.id
+          should_have_json 'access_token', token.token
+        end
+      end
+
+      context "when client_secret present" do
+        it "should issue new token" do
+          expect do
+            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+          end.to change { Doorkeeper::AccessToken.count }.by(1)
+
+          token = Doorkeeper::AccessToken.first
+
+          expect(token.application_id).to eq @client.id
+          should_have_json 'access_token', token.token
+        end
+
+        context "when client_secret incorrect" do
+          it "should not issue new token" do
+            expect do
+              post password_token_endpoint_url(client_id: @client.uid, client_secret: 'foobar', resource_owner: @resource_owner)
+            end.not_to(change { Doorkeeper::AccessToken.count })
+
+            expect(response).not_to be_ok
+          end
+        end
+      end
     end
 
-    it 'should issue new token with public client (only client_id present)' do
-      expect do
-        post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+    context "with confidential/private client" do
+      it "should issue new token" do
+        expect do
+          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+        end.to change { Doorkeeper::AccessToken.count }.by(1)
 
-      token = Doorkeeper::AccessToken.first
+        token = Doorkeeper::AccessToken.first
 
-      expect(token.application_id).to eq @client.id
-      should_have_json 'access_token', token.token
+        expect(token.application_id).to eq @client.id
+        should_have_json 'access_token', token.token
+      end
+
+      context "when client_secret absent" do
+        it "should not issue new token" do
+          expect do
+            post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
+          end.not_to(change { Doorkeeper::AccessToken.count })
+
+          expect(response).not_to be_ok
+        end
+      end
     end
 
     it 'should issue new token without client credentials' do
       expect do
         post password_token_endpoint_url(resource_owner: @resource_owner)
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
+      end.to(change { Doorkeeper::AccessToken.count }.by(1))
 
       token = Doorkeeper::AccessToken.first
 
@@ -124,13 +167,13 @@ describe 'Resource Owner Password Credentials Flow' do
         post password_token_endpoint_url(client: @client,
                                          resource_owner_username: @resource_owner.name,
                                          resource_owner_password: 'wrongpassword')
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
 
     it 'should not issue new token without credentials' do
       expect do
         post password_token_endpoint_url(client: @client)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 
@@ -140,7 +183,7 @@ describe 'Resource Owner Password Credentials Flow' do
         post password_token_endpoint_url(client_id: @client.uid,
                                          client_secret: 'bad_secret',
                                          resource_owner: @resource_owner)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 
@@ -148,7 +191,7 @@ describe 'Resource Owner Password Credentials Flow' do
     it 'should not issue new token with bad client id' do
       expect do
         post password_token_endpoint_url(client_id: 'bad_id', resource_owner: @resource_owner)
-      end.to_not change { Doorkeeper::AccessToken.count }
+      end.to_not(change { Doorkeeper::AccessToken.count })
     end
   end
 end