doorkeeper-mongodb 5.2.1 → 5.2.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/doorkeeper-mongodb.rb +1 -0
- data/lib/doorkeeper-mongodb/mixins/mongoid/access_grant_mixin.rb +1 -0
- data/lib/doorkeeper-mongodb/mixins/mongoid/access_token_mixin.rb +1 -0
- data/lib/doorkeeper-mongodb/mixins/mongoid/application_mixin.rb +76 -0
- data/lib/doorkeeper-mongodb/mixins/mongoid/base_mixin.rb +0 -8
- data/lib/doorkeeper-mongodb/mixins/mongoid/json_serializable.rb +17 -0
- data/lib/doorkeeper-mongodb/version.rb +1 -1
- data/spec/controllers/application_metal_controller_spec.rb +4 -4
- data/spec/controllers/applications_controller_spec.rb +198 -202
- data/spec/controllers/authorizations_controller_spec.rb +32 -31
- data/spec/controllers/protected_resources_controller_spec.rb +10 -10
- data/spec/controllers/token_info_controller_spec.rb +1 -1
- data/spec/controllers/tokens_controller_spec.rb +105 -62
- data/spec/doorkeeper/redirect_uri_validator_spec.rb +183 -0
- data/spec/{lib → doorkeeper}/server_spec.rb +5 -4
- data/spec/{lib → doorkeeper}/stale_records_cleaner_spec.rb +8 -7
- data/spec/{version → doorkeeper}/version_spec.rb +3 -3
- data/spec/dummy/log/test.log +4220 -4184
- data/spec/dummy/tmp/cache/assets/sprockets/v4.0.0/{eS/eSL1QMz46gKLM0GR6S9fL6uyARPxOImcappZ9_ZtSyg.cache → Pm/PmheG0PGFqDws1qgFOxOyIL-gpMof3Ar9eSRKVLYuik.cache} +0 -0
- data/spec/grape/grape_integration_spec.rb +1 -1
- data/spec/helpers/doorkeeper/dashboard_helper_spec.rb +1 -1
- data/spec/lib/config_spec.rb +23 -12
- data/spec/lib/doorkeeper_spec.rb +4 -4
- data/spec/lib/models/expirable_spec.rb +9 -9
- data/spec/lib/models/reusable_spec.rb +2 -2
- data/spec/lib/models/revocable_spec.rb +4 -7
- data/spec/lib/models/scopes_spec.rb +7 -7
- data/spec/lib/models/secret_storable_spec.rb +9 -8
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +23 -27
- data/spec/lib/oauth/authorization_code_request_spec.rb +6 -6
- data/spec/lib/oauth/base_request_spec.rb +11 -27
- data/spec/lib/oauth/base_response_spec.rb +2 -2
- data/spec/lib/oauth/client/credentials_spec.rb +25 -25
- data/spec/lib/oauth/client_credentials/creator_spec.rb +89 -91
- data/spec/lib/oauth/client_credentials/issuer_spec.rb +84 -86
- data/spec/lib/oauth/client_credentials/validation_spec.rb +72 -39
- data/spec/lib/oauth/client_credentials_integration_spec.rb +5 -5
- data/spec/lib/oauth/client_credentials_request_spec.rb +7 -10
- data/spec/lib/oauth/client_spec.rb +8 -8
- data/spec/lib/oauth/code_request_spec.rb +5 -5
- data/spec/lib/oauth/code_response_spec.rb +4 -4
- data/spec/lib/oauth/error_response_spec.rb +6 -5
- data/spec/lib/oauth/error_spec.rb +1 -1
- data/spec/lib/oauth/forbidden_token_response_spec.rb +2 -2
- data/spec/lib/oauth/helpers/scope_checker_spec.rb +37 -37
- data/spec/lib/oauth/helpers/unique_token_spec.rb +2 -2
- data/spec/lib/oauth/helpers/uri_checker_spec.rb +54 -54
- data/spec/lib/oauth/invalid_request_response_spec.rb +6 -6
- data/spec/lib/oauth/invalid_token_response_spec.rb +4 -4
- data/spec/lib/oauth/password_access_token_request_spec.rb +10 -9
- data/spec/lib/oauth/pre_authorization_spec.rb +20 -8
- data/spec/lib/oauth/refresh_token_request_spec.rb +10 -10
- data/spec/lib/oauth/scopes_spec.rb +14 -14
- data/spec/lib/oauth/token_request_spec.rb +9 -9
- data/spec/lib/oauth/token_response_spec.rb +5 -5
- data/spec/lib/oauth/token_spec.rb +5 -5
- data/spec/lib/option_spec.rb +1 -1
- data/spec/lib/request/strategy_spec.rb +34 -37
- data/spec/lib/secret_storing/base_spec.rb +3 -2
- data/spec/lib/secret_storing/bcrypt_spec.rb +2 -1
- data/spec/lib/secret_storing/plain_spec.rb +2 -1
- data/spec/lib/secret_storing/sha256_hash_spec.rb +2 -1
- data/spec/models/doorkeeper/access_grant_spec.rb +7 -9
- data/spec/models/doorkeeper/access_token_spec.rb +20 -26
- data/spec/models/doorkeeper/application_spec.rb +83 -26
- data/spec/requests/applications/applications_request_spec.rb +91 -93
- data/spec/requests/endpoints/authorization_spec.rb +1 -1
- data/spec/requests/endpoints/token_spec.rb +22 -16
- data/spec/requests/flows/authorization_code_errors_spec.rb +12 -8
- data/spec/requests/flows/authorization_code_spec.rb +108 -79
- data/spec/requests/flows/client_credentials_spec.rb +57 -45
- data/spec/requests/flows/implicit_grant_spec.rb +4 -4
- data/spec/requests/flows/password_spec.rb +253 -213
- data/spec/requests/flows/refresh_token_spec.rb +53 -39
- data/spec/requests/flows/revoke_token_spec.rb +24 -24
- data/spec/requests/flows/skip_authorization_spec.rb +1 -1
- data/spec/requests/protected_resources/metal_spec.rb +2 -2
- data/spec/routing/custom_controller_routes_spec.rb +1 -1
- data/spec/routing/default_routes_spec.rb +1 -1
- data/spec/routing/scoped_routes_spec.rb +1 -1
- data/spec/support/helpers/request_spec_helper.rb +1 -13
- data/spec/support/helpers/url_helper.rb +2 -2
- data/spec/support/shared/controllers_shared_context.rb +5 -38
- data/spec/support/shared/hashing_shared_context.rb +4 -0
- data/spec/support/shared/models_shared_examples.rb +6 -6
- metadata +13 -10
|
@@ -2,23 +2,22 @@
|
|
|
2
2
|
|
|
3
3
|
require "spec_helper"
|
|
4
4
|
|
|
5
|
-
describe "Client Credentials Request" do
|
|
5
|
+
RSpec.describe "Client Credentials Request" do
|
|
6
6
|
let(:client) { FactoryBot.create :application }
|
|
7
7
|
|
|
8
|
-
context "a valid request" do
|
|
8
|
+
context "with a valid request" do
|
|
9
9
|
it "authorizes the client and returns the token response" do
|
|
10
10
|
headers = authorization client.uid, client.secret
|
|
11
11
|
params = { grant_type: "client_credentials" }
|
|
12
12
|
|
|
13
13
|
post "/oauth/token", params: params, headers: headers
|
|
14
14
|
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
should_not_have_json "error_description"
|
|
15
|
+
expect(json_response).to match(
|
|
16
|
+
"access_token" => Doorkeeper::AccessToken.first.token,
|
|
17
|
+
"token_type" => "Bearer",
|
|
18
|
+
"expires_in" => Doorkeeper.configuration.access_token_expires_in,
|
|
19
|
+
"created_at" => an_instance_of(Integer),
|
|
20
|
+
)
|
|
22
21
|
end
|
|
23
22
|
|
|
24
23
|
context "with scopes" do
|
|
@@ -33,34 +32,38 @@ describe "Client Credentials Request" do
|
|
|
33
32
|
|
|
34
33
|
post "/oauth/token", params: params, headers: headers
|
|
35
34
|
|
|
36
|
-
|
|
37
|
-
|
|
35
|
+
expect(json_response).to include(
|
|
36
|
+
"access_token" => Doorkeeper::AccessToken.first.token,
|
|
37
|
+
"scope" => "write",
|
|
38
|
+
)
|
|
38
39
|
end
|
|
39
40
|
|
|
40
|
-
context "
|
|
41
|
+
context "when scopes are default" do
|
|
41
42
|
it "adds the scope to the token an returns in the response" do
|
|
42
43
|
headers = authorization client.uid, client.secret
|
|
43
44
|
params = { grant_type: "client_credentials", scope: "public" }
|
|
44
45
|
|
|
45
46
|
post "/oauth/token", params: params, headers: headers
|
|
46
47
|
|
|
47
|
-
|
|
48
|
-
|
|
48
|
+
expect(json_response).to include(
|
|
49
|
+
"access_token" => Doorkeeper::AccessToken.first.token,
|
|
50
|
+
"scope" => "public",
|
|
51
|
+
)
|
|
49
52
|
end
|
|
50
53
|
end
|
|
51
54
|
|
|
52
|
-
context "
|
|
55
|
+
context "when scopes are invalid" do
|
|
53
56
|
it "does not authorize the client and returns the error" do
|
|
54
57
|
headers = authorization client.uid, client.secret
|
|
55
58
|
params = { grant_type: "client_credentials", scope: "random" }
|
|
56
59
|
|
|
57
60
|
post "/oauth/token", params: params, headers: headers
|
|
58
61
|
|
|
59
|
-
should_have_json "error", "invalid_scope"
|
|
60
|
-
should_have_json "error_description", translated_error_message(:invalid_scope)
|
|
61
|
-
should_not_have_json "access_token"
|
|
62
|
-
|
|
63
62
|
expect(response.status).to eq(400)
|
|
63
|
+
expect(json_response).to match(
|
|
64
|
+
"error" => "invalid_scope",
|
|
65
|
+
"error_description" => translated_error_message(:invalid_scope),
|
|
66
|
+
)
|
|
64
67
|
end
|
|
65
68
|
end
|
|
66
69
|
end
|
|
@@ -82,8 +85,10 @@ describe "Client Credentials Request" do
|
|
|
82
85
|
|
|
83
86
|
post "/oauth/token", params: params, headers: headers
|
|
84
87
|
|
|
85
|
-
|
|
86
|
-
|
|
88
|
+
expect(json_response).to match(
|
|
89
|
+
"error" => "unauthorized_client",
|
|
90
|
+
"error_description" => translated_error_message(:unauthorized_client),
|
|
91
|
+
)
|
|
87
92
|
end
|
|
88
93
|
|
|
89
94
|
scenario "allows the request when satisfies condition" do
|
|
@@ -94,13 +99,12 @@ describe "Client Credentials Request" do
|
|
|
94
99
|
|
|
95
100
|
post "/oauth/token", params: params, headers: headers
|
|
96
101
|
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
should_not_have_json "error_description"
|
|
102
|
+
expect(json_response).to match(
|
|
103
|
+
"access_token" => Doorkeeper::AccessToken.first.token,
|
|
104
|
+
"token_type" => "Bearer",
|
|
105
|
+
"expires_in" => 7200,
|
|
106
|
+
"created_at" => an_instance_of(Integer),
|
|
107
|
+
)
|
|
104
108
|
end
|
|
105
109
|
end
|
|
106
110
|
|
|
@@ -122,8 +126,10 @@ describe "Client Credentials Request" do
|
|
|
122
126
|
token = Doorkeeper::AccessToken.first
|
|
123
127
|
|
|
124
128
|
expect(token.application_id).to eq client.id
|
|
125
|
-
|
|
126
|
-
|
|
129
|
+
expect(json_response).to include(
|
|
130
|
+
"access_token" => token.token,
|
|
131
|
+
"scope" => "public",
|
|
132
|
+
)
|
|
127
133
|
end
|
|
128
134
|
|
|
129
135
|
it "issues new token with multiple default scopes that are present in application scopes" do
|
|
@@ -139,30 +145,33 @@ describe "Client Credentials Request" do
|
|
|
139
145
|
token = Doorkeeper::AccessToken.first
|
|
140
146
|
|
|
141
147
|
expect(token.application_id).to eq client.id
|
|
142
|
-
|
|
143
|
-
|
|
148
|
+
expect(json_response).to include(
|
|
149
|
+
"access_token" => token.token,
|
|
150
|
+
"scope" => "public read",
|
|
151
|
+
)
|
|
144
152
|
end
|
|
145
153
|
end
|
|
146
154
|
|
|
147
|
-
context "
|
|
155
|
+
context "when request is invalid" do
|
|
148
156
|
it "does not authorize the client and returns the error" do
|
|
149
157
|
headers = {}
|
|
150
158
|
params = { grant_type: "client_credentials" }
|
|
151
159
|
|
|
152
160
|
post "/oauth/token", params: params, headers: headers
|
|
153
161
|
|
|
154
|
-
should_have_json "error", "invalid_client"
|
|
155
|
-
should_have_json "error_description", translated_error_message(:invalid_client)
|
|
156
|
-
should_not_have_json "access_token"
|
|
157
|
-
|
|
158
162
|
expect(response.status).to eq(401)
|
|
163
|
+
|
|
164
|
+
expect(json_response).to match(
|
|
165
|
+
"error" => "invalid_client",
|
|
166
|
+
"error_description" => translated_error_message(:invalid_client),
|
|
167
|
+
)
|
|
159
168
|
end
|
|
160
169
|
end
|
|
161
170
|
|
|
162
171
|
context "when revoke_previous_client_credentials_token is true" do
|
|
163
172
|
before do
|
|
164
|
-
allow(Doorkeeper.config).to receive(:reuse_access_token)
|
|
165
|
-
allow(Doorkeeper.config).to receive(:revoke_previous_client_credentials_token)
|
|
173
|
+
allow(Doorkeeper.config).to receive(:reuse_access_token).and_return(false)
|
|
174
|
+
allow(Doorkeeper.config).to receive(:revoke_previous_client_credentials_token?).and_return(true)
|
|
166
175
|
end
|
|
167
176
|
|
|
168
177
|
it "revokes the previous token" do
|
|
@@ -170,15 +179,15 @@ describe "Client Credentials Request" do
|
|
|
170
179
|
params = { grant_type: "client_credentials" }
|
|
171
180
|
|
|
172
181
|
post "/oauth/token", params: params, headers: headers
|
|
173
|
-
|
|
182
|
+
expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
|
|
174
183
|
|
|
175
184
|
token = Doorkeeper::AccessToken.first
|
|
176
185
|
|
|
177
186
|
post "/oauth/token", params: params, headers: headers
|
|
178
|
-
|
|
187
|
+
expect(json_response).to include("access_token" => Doorkeeper::AccessToken.last.token)
|
|
179
188
|
|
|
180
|
-
expect(token.reload
|
|
181
|
-
expect(Doorkeeper::AccessToken.last
|
|
189
|
+
expect(token.reload).to be_revoked
|
|
190
|
+
expect(Doorkeeper::AccessToken.last).not_to be_revoked
|
|
182
191
|
end
|
|
183
192
|
|
|
184
193
|
context "with a simultaneous request" do
|
|
@@ -194,8 +203,11 @@ describe "Client Credentials Request" do
|
|
|
194
203
|
params = { grant_type: "client_credentials" }
|
|
195
204
|
|
|
196
205
|
post "/oauth/token", params: params, headers: headers
|
|
197
|
-
|
|
198
|
-
|
|
206
|
+
|
|
207
|
+
expect(json_response).to match(
|
|
208
|
+
"error" => "invalid_token_reuse",
|
|
209
|
+
"error_description" => translated_error_message(:server_error),
|
|
210
|
+
)
|
|
199
211
|
end
|
|
200
212
|
end
|
|
201
213
|
end
|
|
@@ -44,7 +44,7 @@ feature "Implicit Grant Flow (feature spec)" do
|
|
|
44
44
|
end
|
|
45
45
|
end
|
|
46
46
|
|
|
47
|
-
describe "Implicit Grant Flow (request spec)" do
|
|
47
|
+
RSpec.describe "Implicit Grant Flow (request spec)" do
|
|
48
48
|
before do
|
|
49
49
|
default_scopes_exist :default
|
|
50
50
|
config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
|
|
@@ -53,8 +53,8 @@ describe "Implicit Grant Flow (request spec)" do
|
|
|
53
53
|
create_resource_owner
|
|
54
54
|
end
|
|
55
55
|
|
|
56
|
-
context "
|
|
57
|
-
it "
|
|
56
|
+
context "when reuse_access_token enabled" do
|
|
57
|
+
it "returns a new token each request" do
|
|
58
58
|
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(false)
|
|
59
59
|
|
|
60
60
|
token = client_is_authorized(@client, @resource_owner, scopes: "default")
|
|
@@ -71,7 +71,7 @@ describe "Implicit Grant Flow (request spec)" do
|
|
|
71
71
|
expect(response.location).not_to include(token.token)
|
|
72
72
|
end
|
|
73
73
|
|
|
74
|
-
it "
|
|
74
|
+
it "returns the same token if it is still accessible" do
|
|
75
75
|
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
|
76
76
|
|
|
77
77
|
token = client_is_authorized(@client, @resource_owner, scopes: "default")
|
|
@@ -2,315 +2,355 @@
|
|
|
2
2
|
|
|
3
3
|
require "spec_helper"
|
|
4
4
|
|
|
5
|
-
describe "Resource Owner Password Credentials Flow
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
5
|
+
RSpec.describe "Resource Owner Password Credentials Flow" do
|
|
6
|
+
context "when not setup properly" do
|
|
7
|
+
before do
|
|
8
|
+
client_exists
|
|
9
|
+
create_resource_owner
|
|
10
|
+
end
|
|
10
11
|
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
12
|
+
context "with valid user credentials" do
|
|
13
|
+
it "does not issue new token" do
|
|
14
|
+
expect do
|
|
15
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
16
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
17
|
+
end
|
|
16
18
|
end
|
|
17
19
|
end
|
|
18
|
-
end
|
|
19
20
|
|
|
20
|
-
|
|
21
|
-
|
|
21
|
+
context "when grant type configured" do
|
|
22
|
+
let(:client_attributes) { { redirect_uri: nil } }
|
|
22
23
|
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
24
|
+
before do
|
|
25
|
+
config_is_set(:grant_flows, ["password"])
|
|
26
|
+
config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
|
|
27
|
+
client_exists(client_attributes)
|
|
28
|
+
create_resource_owner
|
|
29
|
+
end
|
|
29
30
|
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
31
|
+
context "with valid user credentials" do
|
|
32
|
+
context "with confidential client authorized using Basic auth" do
|
|
33
|
+
it "issues a new token" do
|
|
34
|
+
expect do
|
|
35
|
+
post password_token_endpoint_url(
|
|
36
|
+
resource_owner: @resource_owner,
|
|
37
|
+
), headers: { "HTTP_AUTHORIZATION" => basic_auth_header_for_client(@client) }
|
|
38
|
+
end.to(change { Doorkeeper::AccessToken.count })
|
|
33
39
|
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
40
|
+
token = Doorkeeper::AccessToken.first
|
|
41
|
+
expect(token.application_id).to eq(@client.id)
|
|
42
|
+
|
|
43
|
+
expect(json_response).to match(
|
|
44
|
+
"access_token" => token.token,
|
|
45
|
+
"expires_in" => an_instance_of(Integer),
|
|
46
|
+
"token_type" => "Bearer",
|
|
47
|
+
"created_at" => an_instance_of(Integer),
|
|
39
48
|
)
|
|
40
49
|
end
|
|
50
|
+
end
|
|
41
51
|
|
|
42
|
-
|
|
43
|
-
|
|
52
|
+
context "with non-confidential/public client" do
|
|
53
|
+
let(:client_attributes) { { confidential: false } }
|
|
44
54
|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
55
|
+
context "when configured to check application supported grant flow" do
|
|
56
|
+
before do
|
|
57
|
+
Doorkeeper.configuration.instance_variable_set(
|
|
58
|
+
:@allow_grant_flow_for_client,
|
|
59
|
+
->(_grant_flow, client) { client.name == "admin" },
|
|
50
60
|
)
|
|
51
|
-
end
|
|
61
|
+
end
|
|
52
62
|
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
63
|
+
scenario "forbids the request when doesn't satisfy condition" do
|
|
64
|
+
@client.update(name: "sample app")
|
|
65
|
+
|
|
66
|
+
expect do
|
|
67
|
+
post password_token_endpoint_url(
|
|
68
|
+
client_id: @client.uid,
|
|
69
|
+
client_secret: "foobar",
|
|
70
|
+
resource_owner: @resource_owner,
|
|
71
|
+
)
|
|
72
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
56
73
|
|
|
57
|
-
|
|
58
|
-
|
|
74
|
+
expect(response.status).to eq(401)
|
|
75
|
+
expect(json_response).to match(
|
|
76
|
+
"error" => "invalid_client",
|
|
77
|
+
"error_description" => an_instance_of(String),
|
|
78
|
+
)
|
|
79
|
+
end
|
|
59
80
|
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
81
|
+
scenario "allows the request when satisfies condition" do
|
|
82
|
+
@client.update(name: "admin")
|
|
63
83
|
|
|
64
|
-
|
|
84
|
+
expect do
|
|
85
|
+
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
86
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
87
|
+
|
|
88
|
+
token = Doorkeeper::AccessToken.first
|
|
89
|
+
expect(token.application_id).to eq(@client.id)
|
|
65
90
|
|
|
66
|
-
|
|
67
|
-
|
|
91
|
+
expect(json_response).to include("access_token" => token.token)
|
|
92
|
+
end
|
|
68
93
|
end
|
|
69
|
-
end
|
|
70
94
|
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
95
|
+
context "when client_secret absent" do
|
|
96
|
+
it "issues a new token" do
|
|
97
|
+
expect do
|
|
98
|
+
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
99
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
76
100
|
|
|
77
|
-
|
|
101
|
+
token = Doorkeeper::AccessToken.first
|
|
78
102
|
|
|
79
|
-
|
|
80
|
-
|
|
103
|
+
expect(token.application_id).to eq(@client.id)
|
|
104
|
+
expect(json_response).to include("access_token" => token.token)
|
|
105
|
+
end
|
|
106
|
+
end
|
|
107
|
+
|
|
108
|
+
context "when client_secret present" do
|
|
109
|
+
it "issues a new token" do
|
|
110
|
+
expect do
|
|
111
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
112
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
113
|
+
|
|
114
|
+
token = Doorkeeper::AccessToken.first
|
|
115
|
+
|
|
116
|
+
expect(token.application_id).to eq(@client.id)
|
|
117
|
+
expect(json_response).to include("access_token" => token.token)
|
|
118
|
+
end
|
|
119
|
+
|
|
120
|
+
context "when client_secret incorrect" do
|
|
121
|
+
it "doesn't issue new token" do
|
|
122
|
+
expect do
|
|
123
|
+
post password_token_endpoint_url(
|
|
124
|
+
client_id: @client.uid,
|
|
125
|
+
client_secret: "foobar",
|
|
126
|
+
resource_owner: @resource_owner,
|
|
127
|
+
)
|
|
128
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
129
|
+
|
|
130
|
+
expect(response.status).to eq(401)
|
|
131
|
+
expect(json_response).to include(
|
|
132
|
+
"error" => "invalid_client",
|
|
133
|
+
"error_description" => an_instance_of(String),
|
|
134
|
+
)
|
|
135
|
+
end
|
|
136
|
+
end
|
|
81
137
|
end
|
|
82
138
|
end
|
|
83
139
|
|
|
84
|
-
context "
|
|
85
|
-
it "
|
|
140
|
+
context "with confidential/private client" do
|
|
141
|
+
it "issues a new token" do
|
|
86
142
|
expect do
|
|
87
143
|
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
88
144
|
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
89
145
|
|
|
90
146
|
token = Doorkeeper::AccessToken.first
|
|
91
147
|
|
|
92
|
-
expect(token.application_id).to eq
|
|
93
|
-
|
|
148
|
+
expect(token.application_id).to eq(@client.id)
|
|
149
|
+
expect(json_response).to include("access_token" => token.token)
|
|
94
150
|
end
|
|
95
151
|
|
|
96
|
-
context "when client_secret
|
|
97
|
-
it "
|
|
152
|
+
context "when client_secret absent" do
|
|
153
|
+
it "doesn't issue new token" do
|
|
98
154
|
expect do
|
|
99
|
-
post password_token_endpoint_url(
|
|
100
|
-
client_id: @client.uid,
|
|
101
|
-
client_secret: "foobar",
|
|
102
|
-
resource_owner: @resource_owner,
|
|
103
|
-
)
|
|
155
|
+
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
104
156
|
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
105
157
|
|
|
106
158
|
expect(response.status).to eq(401)
|
|
107
|
-
|
|
159
|
+
expect(json_response).to match(
|
|
160
|
+
"error" => "invalid_client",
|
|
161
|
+
"error_description" => an_instance_of(String),
|
|
162
|
+
)
|
|
108
163
|
end
|
|
109
164
|
end
|
|
110
165
|
end
|
|
111
|
-
end
|
|
112
166
|
|
|
113
|
-
|
|
114
|
-
it "should issue new token" do
|
|
167
|
+
it "issues new token without client credentials" do
|
|
115
168
|
expect do
|
|
116
|
-
post password_token_endpoint_url(
|
|
117
|
-
end.to
|
|
169
|
+
post password_token_endpoint_url(resource_owner: @resource_owner)
|
|
170
|
+
end.to(change { Doorkeeper::AccessToken.count }.by(1))
|
|
118
171
|
|
|
119
172
|
token = Doorkeeper::AccessToken.first
|
|
120
173
|
|
|
121
|
-
expect(token.application_id).to
|
|
122
|
-
|
|
123
|
-
end
|
|
124
|
-
|
|
125
|
-
context "when client_secret absent" do
|
|
126
|
-
it "should not issue new token" do
|
|
127
|
-
expect do
|
|
128
|
-
post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
|
|
129
|
-
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
130
|
-
|
|
131
|
-
expect(response.status).to eq(401)
|
|
132
|
-
should_have_json "error", "invalid_client"
|
|
133
|
-
end
|
|
174
|
+
expect(token.application_id).to be_nil
|
|
175
|
+
expect(json_response).to include("access_token" => token.token)
|
|
134
176
|
end
|
|
135
|
-
end
|
|
136
177
|
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
post password_token_endpoint_url(resource_owner: @resource_owner)
|
|
140
|
-
end.to(change { Doorkeeper::AccessToken.count }.by(1))
|
|
178
|
+
it "issues a refresh token if enabled" do
|
|
179
|
+
config_is_set(:refresh_token_enabled, true)
|
|
141
180
|
|
|
142
|
-
|
|
181
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
143
182
|
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
183
|
+
token = Doorkeeper::AccessToken.first
|
|
184
|
+
expect(json_response).to include("refresh_token" => token.refresh_token)
|
|
185
|
+
end
|
|
147
186
|
|
|
148
|
-
|
|
149
|
-
|
|
187
|
+
it "returns the same token if it is still accessible" do
|
|
188
|
+
allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
|
|
150
189
|
|
|
151
|
-
|
|
190
|
+
client_is_authorized(@client, @resource_owner)
|
|
152
191
|
|
|
153
|
-
|
|
192
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
154
193
|
|
|
155
|
-
|
|
156
|
-
|
|
194
|
+
expect(Doorkeeper::AccessToken.count).to be(1)
|
|
195
|
+
expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
|
|
196
|
+
end
|
|
157
197
|
|
|
158
|
-
|
|
159
|
-
|
|
198
|
+
context "with valid, default scope" do
|
|
199
|
+
before do
|
|
200
|
+
default_scopes_exist :public
|
|
201
|
+
end
|
|
160
202
|
|
|
161
|
-
|
|
203
|
+
it "issues new token" do
|
|
204
|
+
expect do
|
|
205
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
|
|
206
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
162
207
|
|
|
163
|
-
|
|
208
|
+
token = Doorkeeper::AccessToken.first
|
|
164
209
|
|
|
165
|
-
|
|
166
|
-
|
|
210
|
+
expect(token.application_id).to eq(@client.id)
|
|
211
|
+
expect(json_response).to include(
|
|
212
|
+
"access_token" => token.token,
|
|
213
|
+
"scope" => "public",
|
|
214
|
+
)
|
|
215
|
+
end
|
|
216
|
+
end
|
|
167
217
|
end
|
|
168
218
|
|
|
169
|
-
context "
|
|
219
|
+
context "when application scopes are present and differs from configured default scopes and no scope is passed" do
|
|
170
220
|
before do
|
|
171
221
|
default_scopes_exist :public
|
|
222
|
+
@client.update(scopes: "abc")
|
|
172
223
|
end
|
|
173
224
|
|
|
174
|
-
it "
|
|
225
|
+
it "issues new token without any scope" do
|
|
175
226
|
expect do
|
|
176
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner
|
|
227
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
177
228
|
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
178
229
|
|
|
179
230
|
token = Doorkeeper::AccessToken.first
|
|
180
231
|
|
|
181
|
-
expect(token.application_id).to eq
|
|
182
|
-
|
|
183
|
-
|
|
232
|
+
expect(token.application_id).to eq(@client.id)
|
|
233
|
+
expect(token.scopes).to be_empty
|
|
234
|
+
expect(json_response).to include("access_token" => token.token)
|
|
235
|
+
expect(json_response).not_to include("scope")
|
|
184
236
|
end
|
|
185
237
|
end
|
|
186
|
-
end
|
|
187
238
|
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
end
|
|
239
|
+
context "when application scopes contain some of the default scopes and no scope is passed" do
|
|
240
|
+
before do
|
|
241
|
+
@client.update(scopes: "read write public")
|
|
242
|
+
end
|
|
193
243
|
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
197
|
-
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
244
|
+
it "issues new token with one default scope that are present in application scopes" do
|
|
245
|
+
default_scopes_exist :public, :admin
|
|
198
246
|
|
|
199
|
-
|
|
247
|
+
expect do
|
|
248
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
249
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
200
250
|
|
|
201
|
-
|
|
202
|
-
expect(token.scopes).to be_empty
|
|
203
|
-
should_have_json "access_token", token.token
|
|
204
|
-
should_not_have_json "scope"
|
|
205
|
-
end
|
|
206
|
-
end
|
|
251
|
+
token = Doorkeeper::AccessToken.first
|
|
207
252
|
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
253
|
+
expect(token.application_id).to eq(@client.id)
|
|
254
|
+
expect(json_response).to include(
|
|
255
|
+
"access_token" => token.token,
|
|
256
|
+
"scope" => "public",
|
|
257
|
+
)
|
|
258
|
+
end
|
|
212
259
|
|
|
213
|
-
|
|
214
|
-
|
|
260
|
+
it "issues new token with multiple default scopes that are present in application scopes" do
|
|
261
|
+
default_scopes_exist :public, :read, :update
|
|
215
262
|
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
263
|
+
expect do
|
|
264
|
+
post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
|
|
265
|
+
end.to change { Doorkeeper::AccessToken.count }.by(1)
|
|
219
266
|
|
|
220
|
-
|
|
267
|
+
token = Doorkeeper::AccessToken.first
|
|
221
268
|
|
|
222
|
-
|
|
223
|
-
|
|
224
|
-
|
|
269
|
+
expect(token.application_id).to eq(@client.id)
|
|
270
|
+
expect(json_response).to include(
|
|
271
|
+
"access_token" => token.token,
|
|
272
|
+
"scope" => "public read",
|
|
273
|
+
)
|
|
274
|
+
end
|
|
225
275
|
end
|
|
226
276
|
|
|
227
|
-
|
|
228
|
-
|
|
229
|
-
|
|
230
|
-
|
|
231
|
-
|
|
232
|
-
|
|
233
|
-
|
|
234
|
-
|
|
277
|
+
context "with invalid scopes" do
|
|
278
|
+
subject do
|
|
279
|
+
post password_token_endpoint_url(
|
|
280
|
+
client: @client,
|
|
281
|
+
resource_owner: @resource_owner,
|
|
282
|
+
scope: "random",
|
|
283
|
+
)
|
|
284
|
+
end
|
|
235
285
|
|
|
236
|
-
|
|
237
|
-
|
|
238
|
-
|
|
239
|
-
end
|
|
240
|
-
end
|
|
286
|
+
it "doesn't issue new token" do
|
|
287
|
+
expect { subject }.not_to(change { Doorkeeper::AccessToken.count })
|
|
288
|
+
end
|
|
241
289
|
|
|
242
|
-
|
|
243
|
-
|
|
244
|
-
post password_token_endpoint_url(
|
|
245
|
-
client: @client,
|
|
246
|
-
resource_owner: @resource_owner,
|
|
247
|
-
scope: "random",
|
|
248
|
-
)
|
|
249
|
-
end
|
|
290
|
+
it "returns invalid_scope error" do
|
|
291
|
+
subject
|
|
250
292
|
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
293
|
+
expect(json_response).to include(
|
|
294
|
+
"error" => "invalid_scope",
|
|
295
|
+
"error_description" => translated_error_message(:invalid_scope),
|
|
296
|
+
)
|
|
254
297
|
|
|
255
|
-
|
|
256
|
-
subject
|
|
257
|
-
should_have_json "error", "invalid_scope"
|
|
258
|
-
should_have_json "error_description", translated_error_message(:invalid_scope)
|
|
259
|
-
should_not_have_json "access_token"
|
|
298
|
+
expect(json_response).not_to include("access_token")
|
|
260
299
|
|
|
261
|
-
|
|
300
|
+
expect(response.status).to eq(400)
|
|
301
|
+
end
|
|
262
302
|
end
|
|
263
|
-
end
|
|
264
303
|
|
|
265
|
-
|
|
266
|
-
|
|
267
|
-
|
|
268
|
-
|
|
269
|
-
|
|
270
|
-
|
|
271
|
-
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
304
|
+
context "with invalid user credentials" do
|
|
305
|
+
it "doesn't issue new token with bad password" do
|
|
306
|
+
expect do
|
|
307
|
+
post password_token_endpoint_url(
|
|
308
|
+
client: @client,
|
|
309
|
+
resource_owner_username: @resource_owner.name,
|
|
310
|
+
resource_owner_password: "wrongpassword",
|
|
311
|
+
)
|
|
312
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
313
|
+
end
|
|
275
314
|
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
315
|
+
it "doesn't issue new token without credentials" do
|
|
316
|
+
expect do
|
|
317
|
+
post password_token_endpoint_url(client: @client)
|
|
318
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
319
|
+
end
|
|
281
320
|
|
|
282
|
-
|
|
283
|
-
|
|
321
|
+
it "doesn't issue new token if resource_owner_from_credentials returned false or nil" do
|
|
322
|
+
config_is_set(:resource_owner_from_credentials) { false }
|
|
284
323
|
|
|
285
|
-
|
|
286
|
-
|
|
287
|
-
|
|
324
|
+
expect do
|
|
325
|
+
post password_token_endpoint_url(client: @client)
|
|
326
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
288
327
|
|
|
289
|
-
|
|
328
|
+
config_is_set(:resource_owner_from_credentials) { nil }
|
|
290
329
|
|
|
291
|
-
|
|
292
|
-
|
|
293
|
-
|
|
330
|
+
expect do
|
|
331
|
+
post password_token_endpoint_url(client: @client)
|
|
332
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
333
|
+
end
|
|
294
334
|
end
|
|
295
|
-
end
|
|
296
335
|
|
|
297
|
-
|
|
298
|
-
|
|
299
|
-
|
|
300
|
-
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
336
|
+
context "with invalid confidential client credentials" do
|
|
337
|
+
it "doesn't issue new token with bad client credentials" do
|
|
338
|
+
expect do
|
|
339
|
+
post password_token_endpoint_url(
|
|
340
|
+
client_id: @client.uid,
|
|
341
|
+
client_secret: "bad_secret",
|
|
342
|
+
resource_owner: @resource_owner,
|
|
343
|
+
)
|
|
344
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
345
|
+
end
|
|
306
346
|
end
|
|
307
|
-
end
|
|
308
347
|
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
|
|
312
|
-
|
|
313
|
-
|
|
348
|
+
context "with invalid public client id" do
|
|
349
|
+
it "doesn't issue new token with bad client id" do
|
|
350
|
+
expect do
|
|
351
|
+
post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
|
|
352
|
+
end.not_to(change { Doorkeeper::AccessToken.count })
|
|
353
|
+
end
|
|
314
354
|
end
|
|
315
355
|
end
|
|
316
356
|
end
|