doorkeeper-mongodb 5.2.1 → 5.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/doorkeeper-mongodb.rb +1 -0
- data/lib/doorkeeper-mongodb/mixins/mongoid/access_grant_mixin.rb +1 -0
- data/lib/doorkeeper-mongodb/mixins/mongoid/access_token_mixin.rb +1 -0
- data/lib/doorkeeper-mongodb/mixins/mongoid/application_mixin.rb +76 -0
- data/lib/doorkeeper-mongodb/mixins/mongoid/base_mixin.rb +0 -8
- data/lib/doorkeeper-mongodb/mixins/mongoid/json_serializable.rb +17 -0
- data/lib/doorkeeper-mongodb/version.rb +1 -1
- data/spec/controllers/application_metal_controller_spec.rb +4 -4
- data/spec/controllers/applications_controller_spec.rb +198 -202
- data/spec/controllers/authorizations_controller_spec.rb +32 -31
- data/spec/controllers/protected_resources_controller_spec.rb +10 -10
- data/spec/controllers/token_info_controller_spec.rb +1 -1
- data/spec/controllers/tokens_controller_spec.rb +105 -62
- data/spec/doorkeeper/redirect_uri_validator_spec.rb +183 -0
- data/spec/{lib → doorkeeper}/server_spec.rb +5 -4
- data/spec/{lib → doorkeeper}/stale_records_cleaner_spec.rb +8 -7
- data/spec/{version → doorkeeper}/version_spec.rb +3 -3
- data/spec/dummy/log/test.log +4220 -4184
- data/spec/dummy/tmp/cache/assets/sprockets/v4.0.0/{eS/eSL1QMz46gKLM0GR6S9fL6uyARPxOImcappZ9_ZtSyg.cache → Pm/PmheG0PGFqDws1qgFOxOyIL-gpMof3Ar9eSRKVLYuik.cache} +0 -0
- data/spec/grape/grape_integration_spec.rb +1 -1
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
- data/spec/lib/config_spec.rb +23 -12
- data/spec/lib/doorkeeper_spec.rb +4 -4
- data/spec/lib/models/expirable_spec.rb +9 -9
- data/spec/lib/models/reusable_spec.rb +2 -2
- data/spec/lib/models/revocable_spec.rb +4 -7
- data/spec/lib/models/scopes_spec.rb +7 -7
- data/spec/lib/models/secret_storable_spec.rb +9 -8
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +23 -27
- data/spec/lib/oauth/authorization_code_request_spec.rb +6 -6
- data/spec/lib/oauth/base_request_spec.rb +11 -27
- data/spec/lib/oauth/base_response_spec.rb +2 -2
- data/spec/lib/oauth/client/credentials_spec.rb +25 -25
- data/spec/lib/oauth/client_credentials/creator_spec.rb +89 -91
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +84 -86
- data/spec/lib/oauth/client_credentials/validation_spec.rb +72 -39
- data/spec/lib/oauth/client_credentials_integration_spec.rb +5 -5
- data/spec/lib/oauth/client_credentials_request_spec.rb +7 -10
- data/spec/lib/oauth/client_spec.rb +8 -8
- data/spec/lib/oauth/code_request_spec.rb +5 -5
- data/spec/lib/oauth/code_response_spec.rb +4 -4
- data/spec/lib/oauth/error_response_spec.rb +6 -5
- data/spec/lib/oauth/error_spec.rb +1 -1
- data/spec/lib/oauth/forbidden_token_response_spec.rb +2 -2
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +37 -37
- data/spec/lib/oauth/helpers/unique_token_spec.rb +2 -2
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +54 -54
- data/spec/lib/oauth/invalid_request_response_spec.rb +6 -6
- data/spec/lib/oauth/invalid_token_response_spec.rb +4 -4
- data/spec/lib/oauth/password_access_token_request_spec.rb +10 -9
- data/spec/lib/oauth/pre_authorization_spec.rb +20 -8
- data/spec/lib/oauth/refresh_token_request_spec.rb +10 -10
- data/spec/lib/oauth/scopes_spec.rb +14 -14
- data/spec/lib/oauth/token_request_spec.rb +9 -9
- data/spec/lib/oauth/token_response_spec.rb +5 -5
- data/spec/lib/oauth/token_spec.rb +5 -5
- data/spec/lib/option_spec.rb +1 -1
- data/spec/lib/request/strategy_spec.rb +34 -37
- data/spec/lib/secret_storing/base_spec.rb +3 -2
- data/spec/lib/secret_storing/bcrypt_spec.rb +2 -1
- data/spec/lib/secret_storing/plain_spec.rb +2 -1
- data/spec/lib/secret_storing/sha256_hash_spec.rb +2 -1
- data/spec/models/doorkeeper/access_grant_spec.rb +7 -9
- data/spec/models/doorkeeper/access_token_spec.rb +20 -26
- data/spec/models/doorkeeper/application_spec.rb +83 -26
- data/spec/requests/applications/applications_request_spec.rb +91 -93
- data/spec/requests/endpoints/authorization_spec.rb +1 -1
- data/spec/requests/endpoints/token_spec.rb +22 -16
- data/spec/requests/flows/authorization_code_errors_spec.rb +12 -8
- data/spec/requests/flows/authorization_code_spec.rb +108 -79
- data/spec/requests/flows/client_credentials_spec.rb +57 -45
- data/spec/requests/flows/implicit_grant_spec.rb +4 -4
- data/spec/requests/flows/password_spec.rb +253 -213
- data/spec/requests/flows/refresh_token_spec.rb +53 -39
- data/spec/requests/flows/revoke_token_spec.rb +24 -24
- data/spec/requests/flows/skip_authorization_spec.rb +1 -1
- data/spec/requests/protected_resources/metal_spec.rb +2 -2
- data/spec/routing/custom_controller_routes_spec.rb +1 -1
- data/spec/routing/default_routes_spec.rb +1 -1
- data/spec/routing/scoped_routes_spec.rb +1 -1
- data/spec/support/helpers/request_spec_helper.rb +1 -13
- data/spec/support/helpers/url_helper.rb +2 -2
- data/spec/support/shared/controllers_shared_context.rb +5 -38
- data/spec/support/shared/hashing_shared_context.rb +4 -0
- data/spec/support/shared/models_shared_examples.rb +6 -6
- metadata +13 -10
@@ -2,23 +2,22 @@
|
|
2
2
|
|
3
3
|
require "spec_helper"
|
4
4
|
|
5
|
-
describe "Client Credentials Request" do
|
5
|
+
RSpec.describe "Client Credentials Request" do
|
6
6
|
let(:client) { FactoryBot.create :application }
|
7
7
|
|
8
|
-
context "a valid request" do
|
8
|
+
context "with a valid request" do
|
9
9
|
it "authorizes the client and returns the token response" do
|
10
10
|
headers = authorization client.uid, client.secret
|
11
11
|
params = { grant_type: "client_credentials" }
|
12
12
|
|
13
13
|
post "/oauth/token", params: params, headers: headers
|
14
14
|
|
15
|
-
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
should_not_have_json "error_description"
|
15
|
+
expect(json_response).to match(
|
16
|
+
"access_token" => Doorkeeper::AccessToken.first.token,
|
17
|
+
"token_type" => "Bearer",
|
18
|
+
"expires_in" => Doorkeeper.configuration.access_token_expires_in,
|
19
|
+
"created_at" => an_instance_of(Integer),
|
20
|
+
)
|
22
21
|
end
|
23
22
|
|
24
23
|
context "with scopes" do
|
@@ -33,34 +32,38 @@ describe "Client Credentials Request" do
|
|
33
32
|
|
34
33
|
post "/oauth/token", params: params, headers: headers
|
35
34
|
|
36
|
-
|
37
|
-
|
35
|
+
expect(json_response).to include(
|
36
|
+
"access_token" => Doorkeeper::AccessToken.first.token,
|
37
|
+
"scope" => "write",
|
38
|
+
)
|
38
39
|
end
|
39
40
|
|
40
|
-
context "
|
41
|
+
context "when scopes are default" do
|
41
42
|
it "adds the scope to the token an returns in the response" do
|
42
43
|
headers = authorization client.uid, client.secret
|
43
44
|
params = { grant_type: "client_credentials", scope: "public" }
|
44
45
|
|
45
46
|
post "/oauth/token", params: params, headers: headers
|
46
47
|
|
47
|
-
|
48
|
-
|
48
|
+
expect(json_response).to include(
|
49
|
+
"access_token" => Doorkeeper::AccessToken.first.token,
|
50
|
+
"scope" => "public",
|
51
|
+
)
|
49
52
|
end
|
50
53
|
end
|
51
54
|
|
52
|
-
context "
|
55
|
+
context "when scopes are invalid" do
|
53
56
|
it "does not authorize the client and returns the error" do
|
54
57
|
headers = authorization client.uid, client.secret
|
55
58
|
params = { grant_type: "client_credentials", scope: "random" }
|
56
59
|
|
57
60
|
post "/oauth/token", params: params, headers: headers
|
58
61
|
|
59
|
-
should_have_json "error", "invalid_scope"
|
60
|
-
should_have_json "error_description", translated_error_message(:invalid_scope)
|
61
|
-
should_not_have_json "access_token"
|
62
|
-
|
63
62
|
expect(response.status).to eq(400)
|
63
|
+
expect(json_response).to match(
|
64
|
+
"error" => "invalid_scope",
|
65
|
+
"error_description" => translated_error_message(:invalid_scope),
|
66
|
+
)
|
64
67
|
end
|
65
68
|
end
|
66
69
|
end
|
@@ -82,8 +85,10 @@ describe "Client Credentials Request" do
|
|
82
85
|
|
83
86
|
post "/oauth/token", params: params, headers: headers
|
84
87
|
|
85
|
-
|
86
|
-
|
88
|
+
expect(json_response).to match(
|
89
|
+
"error" => "unauthorized_client",
|
90
|
+
"error_description" => translated_error_message(:unauthorized_client),
|
91
|
+
)
|
87
92
|
end
|
88
93
|
|
89
94
|
scenario "allows the request when satisfies condition" do
|
@@ -94,13 +99,12 @@ describe "Client Credentials Request" do
|
|
94
99
|
|
95
100
|
post "/oauth/token", params: params, headers: headers
|
96
101
|
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
should_not_have_json "error_description"
|
102
|
+
expect(json_response).to match(
|
103
|
+
"access_token" => Doorkeeper::AccessToken.first.token,
|
104
|
+
"token_type" => "Bearer",
|
105
|
+
"expires_in" => 7200,
|
106
|
+
"created_at" => an_instance_of(Integer),
|
107
|
+
)
|
104
108
|
end
|
105
109
|
end
|
106
110
|
|
@@ -122,8 +126,10 @@ describe "Client Credentials Request" do
|
|
122
126
|
token = Doorkeeper::AccessToken.first
|
123
127
|
|
124
128
|
expect(token.application_id).to eq client.id
|
125
|
-
|
126
|
-
|
129
|
+
expect(json_response).to include(
|
130
|
+
"access_token" => token.token,
|
131
|
+
"scope" => "public",
|
132
|
+
)
|
127
133
|
end
|
128
134
|
|
129
135
|
it "issues new token with multiple default scopes that are present in application scopes" do
|
@@ -139,30 +145,33 @@ describe "Client Credentials Request" do
|
|
139
145
|
token = Doorkeeper::AccessToken.first
|
140
146
|
|
141
147
|
expect(token.application_id).to eq client.id
|
142
|
-
|
143
|
-
|
148
|
+
expect(json_response).to include(
|
149
|
+
"access_token" => token.token,
|
150
|
+
"scope" => "public read",
|
151
|
+
)
|
144
152
|
end
|
145
153
|
end
|
146
154
|
|
147
|
-
context "
|
155
|
+
context "when request is invalid" do
|
148
156
|
it "does not authorize the client and returns the error" do
|
149
157
|
headers = {}
|
150
158
|
params = { grant_type: "client_credentials" }
|
151
159
|
|
152
160
|
post "/oauth/token", params: params, headers: headers
|
153
161
|
|
154
|
-
should_have_json "error", "invalid_client"
|
155
|
-
should_have_json "error_description", translated_error_message(:invalid_client)
|
156
|
-
should_not_have_json "access_token"
|
157
|
-
|
158
162
|
expect(response.status).to eq(401)
|
163
|
+
|
164
|
+
expect(json_response).to match(
|
165
|
+
"error" => "invalid_client",
|
166
|
+
"error_description" => translated_error_message(:invalid_client),
|
167
|
+
)
|
159
168
|
end
|
160
169
|
end
|
161
170
|
|
162
171
|
context "when revoke_previous_client_credentials_token is true" do
|
163
172
|
before do
|
164
|
-
allow(Doorkeeper.config).to receive(:reuse_access_token)
|
165
|
-
allow(Doorkeeper.config).to receive(:revoke_previous_client_credentials_token)
|
173
|
+
allow(Doorkeeper.config).to receive(:reuse_access_token).and_return(false)
|
174
|
+
allow(Doorkeeper.config).to receive(:revoke_previous_client_credentials_token?).and_return(true)
|
166
175
|
end
|
167
176
|
|
168
177
|
it "revokes the previous token" do
|
@@ -170,15 +179,15 @@ describe "Client Credentials Request" do
|
|
170
179
|
params = { grant_type: "client_credentials" }
|
171
180
|
|
172
181
|
post "/oauth/token", params: params, headers: headers
|
173
|
-
|
182
|
+
expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
|
174
183
|
|
175
184
|
token = Doorkeeper::AccessToken.first
|
176
185
|
|
177
186
|
post "/oauth/token", params: params, headers: headers
|
178
|
-
|
187
|
+
expect(json_response).to include("access_token" => Doorkeeper::AccessToken.last.token)
|
179
188
|
|
180
|
-
expect(token.reload
|
181
|
-
expect(Doorkeeper::AccessToken.last
|
189
|
+
expect(token.reload).to be_revoked
|
190
|
+
expect(Doorkeeper::AccessToken.last).not_to be_revoked
|
182
191
|
end
|
183
192
|
|
184
193
|
context "with a simultaneous request" do
|
@@ -194,8 +203,11 @@ describe "Client Credentials Request" do
|
|
194
203
|
params = { grant_type: "client_credentials" }
|
195
204
|
|
196
205
|
post "/oauth/token", params: params, headers: headers
|
197
|
-
|
198
|
-
|
206
|
+
|
207
|
+
expect(json_response).to match(
|
208
|
+
"error" => "invalid_token_reuse",
|
209
|
+
"error_description" => translated_error_message(:server_error),
|
210
|
+
)
|
199
211
|
end
|
200
212
|
end
|
201
213
|
end
|
@@ -44,7 +44,7 @@ feature "Implicit Grant Flow (feature spec)" do
|
|
44
44
|
end
|
45
45
|
end
|
46
46
|
|
47
|
-
describe "Implicit Grant Flow (request spec)" do
|
47
|
+
RSpec.describe "Implicit Grant Flow (request spec)" do
|
48
48
|
before do
|
49
49
|
default_scopes_exist :default
|
50
50
|
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
@@ -53,8 +53,8 @@ describe "Implicit Grant Flow (request spec)" do
|
|
53
53
|
create_resource_owner
|
54
54
|
end
|
55
55
|
|
56
|
-
context "
|
57
|
-
it "
|
56
|
+
context "when reuse_access_token enabled" do
|
57
|
+
it "returns a new token each request" do
|
58
58
|
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
|
59
59
|
|
60
60
|
token = client_is_authorized(@client, @resource_owner, scopes: "default")
|
@@ -71,7 +71,7 @@ describe "Implicit Grant Flow (request spec)" do
|
|
71
71
|
expect(response.location).not_to include(token.token)
|
72
72
|
end
|
73
73
|
|
74
|
-
it "
|
74
|
+
it "returns the same token if it is still accessible" do
|
75
75
|
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
76
76
|
|
77
77
|
token = client_is_authorized(@client, @resource_owner, scopes: "default")
|
@@ -2,315 +2,355 @@
|
|
2
2
|
|
3
3
|
require "spec_helper"
|
4
4
|
|
5
|
-
describe "Resource Owner Password Credentials Flow
|
6
|
-
|
7
|
-
|
8
|
-
|
9
|
-
|
5
|
+
RSpec.describe "Resource Owner Password Credentials Flow" do
|
6
|
+
context "when not setup properly" do
|
7
|
+
before do
|
8
|
+
client_exists
|
9
|
+
create_resource_owner
|
10
|
+
end
|
10
11
|
|
11
|
-
|
12
|
-
|
13
|
-
|
14
|
-
|
15
|
-
|
12
|
+
context "with valid user credentials" do
|
13
|
+
it "does not issue new token" do
|
14
|
+
expect do
|
15
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
16
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
17
|
+
end
|
16
18
|
end
|
17
19
|
end
|
18
|
-
end
|
19
20
|
|
20
|
-
|
21
|
-
|
21
|
+
context "when grant type configured" do
|
22
|
+
let(:client_attributes) { { redirect_uri: nil } }
|
22
23
|
|
23
|
-
|
24
|
-
|
25
|
-
|
26
|
-
|
27
|
-
|
28
|
-
|
24
|
+
before do
|
25
|
+
config_is_set(:grant_flows, ["password"])
|
26
|
+
config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
|
27
|
+
client_exists(client_attributes)
|
28
|
+
create_resource_owner
|
29
|
+
end
|
29
30
|
|
30
|
-
|
31
|
-
|
32
|
-
|
31
|
+
context "with valid user credentials" do
|
32
|
+
context "with confidential client authorized using Basic auth" do
|
33
|
+
it "issues a new token" do
|
34
|
+
expect do
|
35
|
+
post password_token_endpoint_url(
|
36
|
+
resource_owner: @resource_owner,
|
37
|
+
), headers: { "HTTP_AUTHORIZATION" => basic_auth_header_for_client(@client) }
|
38
|
+
end.to(change { Doorkeeper::AccessToken.count })
|
33
39
|
|
34
|
-
|
35
|
-
|
36
|
-
|
37
|
-
|
38
|
-
|
40
|
+
token = Doorkeeper::AccessToken.first
|
41
|
+
expect(token.application_id).to eq(@client.id)
|
42
|
+
|
43
|
+
expect(json_response).to match(
|
44
|
+
"access_token" => token.token,
|
45
|
+
"expires_in" => an_instance_of(Integer),
|
46
|
+
"token_type" => "Bearer",
|
47
|
+
"created_at" => an_instance_of(Integer),
|
39
48
|
)
|
40
49
|
end
|
50
|
+
end
|
41
51
|
|
42
|
-
|
43
|
-
|
52
|
+
context "with non-confidential/public client" do
|
53
|
+
let(:client_attributes) { { confidential: false } }
|
44
54
|
|
45
|
-
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
|
55
|
+
context "when configured to check application supported grant flow" do
|
56
|
+
before do
|
57
|
+
Doorkeeper.configuration.instance_variable_set(
|
58
|
+
:@allow_grant_flow_for_client,
|
59
|
+
->(_grant_flow, client) { client.name == "admin" },
|
50
60
|
)
|
51
|
-
end
|
61
|
+
end
|
52
62
|
|
53
|
-
|
54
|
-
|
55
|
-
|
63
|
+
scenario "forbids the request when doesn't satisfy condition" do
|
64
|
+
@client.update(name: "sample app")
|
65
|
+
|
66
|
+
expect do
|
67
|
+
post password_token_endpoint_url(
|
68
|
+
client_id: @client.uid,
|
69
|
+
client_secret: "foobar",
|
70
|
+
resource_owner: @resource_owner,
|
71
|
+
)
|
72
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
56
73
|
|
57
|
-
|
58
|
-
|
74
|
+
expect(response.status).to eq(401)
|
75
|
+
expect(json_response).to match(
|
76
|
+
"error" => "invalid_client",
|
77
|
+
"error_description" => an_instance_of(String),
|
78
|
+
)
|
79
|
+
end
|
59
80
|
|
60
|
-
|
61
|
-
|
62
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
81
|
+
scenario "allows the request when satisfies condition" do
|
82
|
+
@client.update(name: "admin")
|
63
83
|
|
64
|
-
|
84
|
+
expect do
|
85
|
+
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
86
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
87
|
+
|
88
|
+
token = Doorkeeper::AccessToken.first
|
89
|
+
expect(token.application_id).to eq(@client.id)
|
65
90
|
|
66
|
-
|
67
|
-
|
91
|
+
expect(json_response).to include("access_token" => token.token)
|
92
|
+
end
|
68
93
|
end
|
69
|
-
end
|
70
94
|
|
71
|
-
|
72
|
-
|
73
|
-
|
74
|
-
|
75
|
-
|
95
|
+
context "when client_secret absent" do
|
96
|
+
it "issues a new token" do
|
97
|
+
expect do
|
98
|
+
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
99
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
76
100
|
|
77
|
-
|
101
|
+
token = Doorkeeper::AccessToken.first
|
78
102
|
|
79
|
-
|
80
|
-
|
103
|
+
expect(token.application_id).to eq(@client.id)
|
104
|
+
expect(json_response).to include("access_token" => token.token)
|
105
|
+
end
|
106
|
+
end
|
107
|
+
|
108
|
+
context "when client_secret present" do
|
109
|
+
it "issues a new token" do
|
110
|
+
expect do
|
111
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
112
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
113
|
+
|
114
|
+
token = Doorkeeper::AccessToken.first
|
115
|
+
|
116
|
+
expect(token.application_id).to eq(@client.id)
|
117
|
+
expect(json_response).to include("access_token" => token.token)
|
118
|
+
end
|
119
|
+
|
120
|
+
context "when client_secret incorrect" do
|
121
|
+
it "doesn't issue new token" do
|
122
|
+
expect do
|
123
|
+
post password_token_endpoint_url(
|
124
|
+
client_id: @client.uid,
|
125
|
+
client_secret: "foobar",
|
126
|
+
resource_owner: @resource_owner,
|
127
|
+
)
|
128
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
129
|
+
|
130
|
+
expect(response.status).to eq(401)
|
131
|
+
expect(json_response).to include(
|
132
|
+
"error" => "invalid_client",
|
133
|
+
"error_description" => an_instance_of(String),
|
134
|
+
)
|
135
|
+
end
|
136
|
+
end
|
81
137
|
end
|
82
138
|
end
|
83
139
|
|
84
|
-
context "
|
85
|
-
it "
|
140
|
+
context "with confidential/private client" do
|
141
|
+
it "issues a new token" do
|
86
142
|
expect do
|
87
143
|
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
88
144
|
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
89
145
|
|
90
146
|
token = Doorkeeper::AccessToken.first
|
91
147
|
|
92
|
-
expect(token.application_id).to eq
|
93
|
-
|
148
|
+
expect(token.application_id).to eq(@client.id)
|
149
|
+
expect(json_response).to include("access_token" => token.token)
|
94
150
|
end
|
95
151
|
|
96
|
-
context "when client_secret
|
97
|
-
it "
|
152
|
+
context "when client_secret absent" do
|
153
|
+
it "doesn't issue new token" do
|
98
154
|
expect do
|
99
|
-
post password_token_endpoint_url(
|
100
|
-
client_id: @client.uid,
|
101
|
-
client_secret: "foobar",
|
102
|
-
resource_owner: @resource_owner,
|
103
|
-
)
|
155
|
+
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
104
156
|
end.not_to(change { Doorkeeper::AccessToken.count })
|
105
157
|
|
106
158
|
expect(response.status).to eq(401)
|
107
|
-
|
159
|
+
expect(json_response).to match(
|
160
|
+
"error" => "invalid_client",
|
161
|
+
"error_description" => an_instance_of(String),
|
162
|
+
)
|
108
163
|
end
|
109
164
|
end
|
110
165
|
end
|
111
|
-
end
|
112
166
|
|
113
|
-
|
114
|
-
it "should issue new token" do
|
167
|
+
it "issues new token without client credentials" do
|
115
168
|
expect do
|
116
|
-
post password_token_endpoint_url(
|
117
|
-
end.to
|
169
|
+
post password_token_endpoint_url(resource_owner: @resource_owner)
|
170
|
+
end.to(change { Doorkeeper::AccessToken.count }.by(1))
|
118
171
|
|
119
172
|
token = Doorkeeper::AccessToken.first
|
120
173
|
|
121
|
-
expect(token.application_id).to
|
122
|
-
|
123
|
-
end
|
124
|
-
|
125
|
-
context "when client_secret absent" do
|
126
|
-
it "should not issue new token" do
|
127
|
-
expect do
|
128
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
129
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
130
|
-
|
131
|
-
expect(response.status).to eq(401)
|
132
|
-
should_have_json "error", "invalid_client"
|
133
|
-
end
|
174
|
+
expect(token.application_id).to be_nil
|
175
|
+
expect(json_response).to include("access_token" => token.token)
|
134
176
|
end
|
135
|
-
end
|
136
177
|
|
137
|
-
|
138
|
-
|
139
|
-
post password_token_endpoint_url(resource_owner: @resource_owner)
|
140
|
-
end.to(change { Doorkeeper::AccessToken.count }.by(1))
|
178
|
+
it "issues a refresh token if enabled" do
|
179
|
+
config_is_set(:refresh_token_enabled, true)
|
141
180
|
|
142
|
-
|
181
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
143
182
|
|
144
|
-
|
145
|
-
|
146
|
-
|
183
|
+
token = Doorkeeper::AccessToken.first
|
184
|
+
expect(json_response).to include("refresh_token" => token.refresh_token)
|
185
|
+
end
|
147
186
|
|
148
|
-
|
149
|
-
|
187
|
+
it "returns the same token if it is still accessible" do
|
188
|
+
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
150
189
|
|
151
|
-
|
190
|
+
client_is_authorized(@client, @resource_owner)
|
152
191
|
|
153
|
-
|
192
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
154
193
|
|
155
|
-
|
156
|
-
|
194
|
+
expect(Doorkeeper::AccessToken.count).to be(1)
|
195
|
+
expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
|
196
|
+
end
|
157
197
|
|
158
|
-
|
159
|
-
|
198
|
+
context "with valid, default scope" do
|
199
|
+
before do
|
200
|
+
default_scopes_exist :public
|
201
|
+
end
|
160
202
|
|
161
|
-
|
203
|
+
it "issues new token" do
|
204
|
+
expect do
|
205
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
|
206
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
162
207
|
|
163
|
-
|
208
|
+
token = Doorkeeper::AccessToken.first
|
164
209
|
|
165
|
-
|
166
|
-
|
210
|
+
expect(token.application_id).to eq(@client.id)
|
211
|
+
expect(json_response).to include(
|
212
|
+
"access_token" => token.token,
|
213
|
+
"scope" => "public",
|
214
|
+
)
|
215
|
+
end
|
216
|
+
end
|
167
217
|
end
|
168
218
|
|
169
|
-
context "
|
219
|
+
context "when application scopes are present and differs from configured default scopes and no scope is passed" do
|
170
220
|
before do
|
171
221
|
default_scopes_exist :public
|
222
|
+
@client.update(scopes: "abc")
|
172
223
|
end
|
173
224
|
|
174
|
-
it "
|
225
|
+
it "issues new token without any scope" do
|
175
226
|
expect do
|
176
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner
|
227
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
177
228
|
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
178
229
|
|
179
230
|
token = Doorkeeper::AccessToken.first
|
180
231
|
|
181
|
-
expect(token.application_id).to eq
|
182
|
-
|
183
|
-
|
232
|
+
expect(token.application_id).to eq(@client.id)
|
233
|
+
expect(token.scopes).to be_empty
|
234
|
+
expect(json_response).to include("access_token" => token.token)
|
235
|
+
expect(json_response).not_to include("scope")
|
184
236
|
end
|
185
237
|
end
|
186
|
-
end
|
187
238
|
|
188
|
-
|
189
|
-
|
190
|
-
|
191
|
-
|
192
|
-
end
|
239
|
+
context "when application scopes contain some of the default scopes and no scope is passed" do
|
240
|
+
before do
|
241
|
+
@client.update(scopes: "read write public")
|
242
|
+
end
|
193
243
|
|
194
|
-
|
195
|
-
|
196
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
197
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
244
|
+
it "issues new token with one default scope that are present in application scopes" do
|
245
|
+
default_scopes_exist :public, :admin
|
198
246
|
|
199
|
-
|
247
|
+
expect do
|
248
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
249
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
200
250
|
|
201
|
-
|
202
|
-
expect(token.scopes).to be_empty
|
203
|
-
should_have_json "access_token", token.token
|
204
|
-
should_not_have_json "scope"
|
205
|
-
end
|
206
|
-
end
|
251
|
+
token = Doorkeeper::AccessToken.first
|
207
252
|
|
208
|
-
|
209
|
-
|
210
|
-
|
211
|
-
|
253
|
+
expect(token.application_id).to eq(@client.id)
|
254
|
+
expect(json_response).to include(
|
255
|
+
"access_token" => token.token,
|
256
|
+
"scope" => "public",
|
257
|
+
)
|
258
|
+
end
|
212
259
|
|
213
|
-
|
214
|
-
|
260
|
+
it "issues new token with multiple default scopes that are present in application scopes" do
|
261
|
+
default_scopes_exist :public, :read, :update
|
215
262
|
|
216
|
-
|
217
|
-
|
218
|
-
|
263
|
+
expect do
|
264
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
265
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
219
266
|
|
220
|
-
|
267
|
+
token = Doorkeeper::AccessToken.first
|
221
268
|
|
222
|
-
|
223
|
-
|
224
|
-
|
269
|
+
expect(token.application_id).to eq(@client.id)
|
270
|
+
expect(json_response).to include(
|
271
|
+
"access_token" => token.token,
|
272
|
+
"scope" => "public read",
|
273
|
+
)
|
274
|
+
end
|
225
275
|
end
|
226
276
|
|
227
|
-
|
228
|
-
|
229
|
-
|
230
|
-
|
231
|
-
|
232
|
-
|
233
|
-
|
234
|
-
|
277
|
+
context "with invalid scopes" do
|
278
|
+
subject do
|
279
|
+
post password_token_endpoint_url(
|
280
|
+
client: @client,
|
281
|
+
resource_owner: @resource_owner,
|
282
|
+
scope: "random",
|
283
|
+
)
|
284
|
+
end
|
235
285
|
|
236
|
-
|
237
|
-
|
238
|
-
|
239
|
-
end
|
240
|
-
end
|
286
|
+
it "doesn't issue new token" do
|
287
|
+
expect { subject }.not_to(change { Doorkeeper::AccessToken.count })
|
288
|
+
end
|
241
289
|
|
242
|
-
|
243
|
-
|
244
|
-
post password_token_endpoint_url(
|
245
|
-
client: @client,
|
246
|
-
resource_owner: @resource_owner,
|
247
|
-
scope: "random",
|
248
|
-
)
|
249
|
-
end
|
290
|
+
it "returns invalid_scope error" do
|
291
|
+
subject
|
250
292
|
|
251
|
-
|
252
|
-
|
253
|
-
|
293
|
+
expect(json_response).to include(
|
294
|
+
"error" => "invalid_scope",
|
295
|
+
"error_description" => translated_error_message(:invalid_scope),
|
296
|
+
)
|
254
297
|
|
255
|
-
|
256
|
-
subject
|
257
|
-
should_have_json "error", "invalid_scope"
|
258
|
-
should_have_json "error_description", translated_error_message(:invalid_scope)
|
259
|
-
should_not_have_json "access_token"
|
298
|
+
expect(json_response).not_to include("access_token")
|
260
299
|
|
261
|
-
|
300
|
+
expect(response.status).to eq(400)
|
301
|
+
end
|
262
302
|
end
|
263
|
-
end
|
264
303
|
|
265
|
-
|
266
|
-
|
267
|
-
|
268
|
-
|
269
|
-
|
270
|
-
|
271
|
-
|
272
|
-
|
273
|
-
|
274
|
-
|
304
|
+
context "with invalid user credentials" do
|
305
|
+
it "doesn't issue new token with bad password" do
|
306
|
+
expect do
|
307
|
+
post password_token_endpoint_url(
|
308
|
+
client: @client,
|
309
|
+
resource_owner_username: @resource_owner.name,
|
310
|
+
resource_owner_password: "wrongpassword",
|
311
|
+
)
|
312
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
313
|
+
end
|
275
314
|
|
276
|
-
|
277
|
-
|
278
|
-
|
279
|
-
|
280
|
-
|
315
|
+
it "doesn't issue new token without credentials" do
|
316
|
+
expect do
|
317
|
+
post password_token_endpoint_url(client: @client)
|
318
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
319
|
+
end
|
281
320
|
|
282
|
-
|
283
|
-
|
321
|
+
it "doesn't issue new token if resource_owner_from_credentials returned false or nil" do
|
322
|
+
config_is_set(:resource_owner_from_credentials) { false }
|
284
323
|
|
285
|
-
|
286
|
-
|
287
|
-
|
324
|
+
expect do
|
325
|
+
post password_token_endpoint_url(client: @client)
|
326
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
288
327
|
|
289
|
-
|
328
|
+
config_is_set(:resource_owner_from_credentials) { nil }
|
290
329
|
|
291
|
-
|
292
|
-
|
293
|
-
|
330
|
+
expect do
|
331
|
+
post password_token_endpoint_url(client: @client)
|
332
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
333
|
+
end
|
294
334
|
end
|
295
|
-
end
|
296
335
|
|
297
|
-
|
298
|
-
|
299
|
-
|
300
|
-
|
301
|
-
|
302
|
-
|
303
|
-
|
304
|
-
|
305
|
-
|
336
|
+
context "with invalid confidential client credentials" do
|
337
|
+
it "doesn't issue new token with bad client credentials" do
|
338
|
+
expect do
|
339
|
+
post password_token_endpoint_url(
|
340
|
+
client_id: @client.uid,
|
341
|
+
client_secret: "bad_secret",
|
342
|
+
resource_owner: @resource_owner,
|
343
|
+
)
|
344
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
345
|
+
end
|
306
346
|
end
|
307
|
-
end
|
308
347
|
|
309
|
-
|
310
|
-
|
311
|
-
|
312
|
-
|
313
|
-
|
348
|
+
context "with invalid public client id" do
|
349
|
+
it "doesn't issue new token with bad client id" do
|
350
|
+
expect do
|
351
|
+
post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
|
352
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
353
|
+
end
|
314
354
|
end
|
315
355
|
end
|
316
356
|
end
|