doorkeeper-mongodb 5.2.1 → 5.2.3

data/spec/models/doorkeeper/application_spec.rb

@@ -3,7 +3,7 @@
 require "spec_helper"
 require "bcrypt"
 
-describe Doorkeeper::Application do
+RSpec.describe Doorkeeper::Application do
   let(:require_owner) { Doorkeeper.config.instance_variable_set("@confirm_application_owner", true) }
   let(:unset_require_owner) { Doorkeeper.config.instance_variable_set("@confirm_application_owner", false) }
   let(:new_application) { FactoryBot.build(:application) }
@@ -83,7 +83,7 @@ describe Doorkeeper::Application do
     expect(new_application).not_to be_valid
   end
 
-  context "application_owner is enabled" do
+  context "when application_owner is enabled" do
     before do
       Doorkeeper.configure do
         orm DOORKEEPER_ORM
@@ -91,8 +91,8 @@ describe Doorkeeper::Application do
       end
     end
 
-    context "application owner is not required" do
-      before(:each) do
+    context "when application owner is not required" do
+      before do
         unset_require_owner
       end
 
@@ -101,8 +101,8 @@ describe Doorkeeper::Application do
       end
     end
 
-    context "application owner is required" do
-      before(:each) do
+    context "when application owner is required" do
+      before do
         require_owner
         @owner = FactoryBot.build_stubbed(:doorkeeper_testing_user)
       end
@@ -118,10 +118,11 @@ describe Doorkeeper::Application do
     end
   end
 
-  context "redirect URI" do
+  describe "redirect URI" do
     context "when grant flows allow blank redirect URI" do
       before do
         Doorkeeper.configure do
+          orm DOORKEEPER_ORM
           grant_flows %w[password client_credentials]
         end
       end
@@ -136,6 +137,7 @@ describe Doorkeeper::Application do
     context "when grant flows require redirect URI" do
       before do
         Doorkeeper.configure do
+          orm DOORKEEPER_ORM
           grant_flows %w[password client_credentials authorization_code]
         end
       end
@@ -150,6 +152,7 @@ describe Doorkeeper::Application do
     context "when blank URI option disabled" do
       before do
         Doorkeeper.configure do
+          orm DOORKEEPER_ORM
           grant_flows %w[password client_credentials]
           allow_blank_redirect_uri false
         end
@@ -179,6 +182,7 @@ describe Doorkeeper::Application do
       # will always be true
       before do
         Doorkeeper.configure do
+          orm DOORKEEPER_ORM
           hash_application_secrets using: "Doorkeeper::SecretStoring::BCrypt"
         end
       end
@@ -218,13 +222,13 @@ describe Doorkeeper::Application do
   end
 
   describe "destroy related models on cascade" do
-    before(:each) do
+    before do
       new_application.save
     end
 
     let(:resource_owner) { FactoryBot.create(:resource_owner) }
 
-    it "should destroy its access grants" do
+    it "destroys its access grants" do
       FactoryBot.create(
         :access_grant,
         application: new_application,
@@ -235,7 +239,7 @@ describe Doorkeeper::Application do
       expect { new_application.destroy }.to change { Doorkeeper::AccessGrant.count }.by(-1)
     end
 
-    it "should destroy its access tokens" do
+    it "destroys its access tokens" do
       FactoryBot.create(:access_token, application: new_application)
       FactoryBot.create(:access_token, application: new_application, revoked_at: Time.now.utc)
       expect do
@@ -264,13 +268,14 @@ describe Doorkeeper::Application do
 
   describe "#redirect_uri=" do
     context "when array of valid redirect_uris" do
-      it "should join by newline" do
+      it "joins by newline" do
         new_application.redirect_uri = ["http://localhost/callback1", "http://localhost/callback2"]
         expect(new_application.redirect_uri).to eq("http://localhost/callback1\nhttp://localhost/callback2")
       end
     end
+
     context "when string of valid redirect_uris" do
-      it "should store as-is" do
+      it "stores as-is" do
         new_application.redirect_uri = "http://localhost/callback1\nhttp://localhost/callback2"
         expect(new_application.redirect_uri).to eq("http://localhost/callback1\nhttp://localhost/callback2")
       end
@@ -280,7 +285,7 @@ describe Doorkeeper::Application do
   describe "#renew_secret" do
     let(:app) { FactoryBot.create :application }
 
-    it "should generate a new secret" do
+    it "generates a new secret" do
       old_secret = app.secret
       app.renew_secret
       expect(old_secret).not_to eq(app.secret)
@@ -372,8 +377,9 @@ describe Doorkeeper::Application do
         authenticated = described_class.by_uid_and_secret(app.uid, app.secret)
         expect(authenticated).to eq(app)
       end
+
       context "when secret is wrong" do
-        it "should not find the application" do
+        it "does not find the application" do
           app = FactoryBot.create :application
           authenticated = described_class.by_uid_and_secret(app.uid, "bad")
           expect(authenticated).to eq(nil)
@@ -383,14 +389,15 @@ describe Doorkeeper::Application do
 
     context "when application is public/non-confidential" do
       context "when secret is blank" do
-        it "should find the application" do
+        it "finds the application" do
           app = FactoryBot.create :application, confidential: false
           authenticated = described_class.by_uid_and_secret(app.uid, nil)
           expect(authenticated).to eq(app)
         end
       end
+
       context "when secret is wrong" do
-        it "should not find the application" do
+        it "does not find the application" do
           app = FactoryBot.create :application, confidential: false
           authenticated = described_class.by_uid_and_secret(app.uid, "bad")
           expect(authenticated).to eq(nil)
@@ -404,11 +411,13 @@ describe Doorkeeper::Application do
 
     context "when application is private/confidential" do
       let(:confidential) { true }
+
       it { expect(subject).to eq(true) }
     end
 
     context "when application is public/non-confidential" do
       let(:confidential) { false }
+
       it { expect(subject).to eq(false) }
     end
   end
@@ -421,16 +430,7 @@ describe Doorkeeper::Application do
         .to receive(:application_secret_strategy).and_return(Doorkeeper::SecretStoring::Plain)
     end
 
-    it "includes plaintext secret" do
-      expect(app.as_json).to include("secret" => "123123123")
-    end
-
-    it "respects custom options" do
-      expect(app.as_json(except: :secret)).not_to include("secret")
-      expect(app.as_json(only: :id)).to match("id" => app.id)
-    end
-
-    # AR specific
+    # AR specific feature
     if DOORKEEPER_ORM == :active_record
       it "correctly works with #to_json" do
         ActiveRecord::Base.include_root_in_json = true
@@ -438,5 +438,62 @@ describe Doorkeeper::Application do
         ActiveRecord::Base.include_root_in_json = false
       end
     end
+
+    context "when called without authorized resource owner" do
+      it "includes minimal set of attributes" do
+        expect(app.as_json).to match(
+          "id" => app.id,
+          "name" => app.name,
+          "created_at" => anything,
+        )
+      end
+
+      it "includes application UID if it's public" do
+        app = FactoryBot.create :application, secret: "123123123", confidential: false
+
+        expect(app.as_json).to match(
+          "id" => app.id,
+          "name" => app.name,
+          "created_at" => anything,
+          "uid" => app.uid,
+        )
+      end
+
+      it "respects custom options" do
+        expect(app.as_json(except: :id)).not_to include("id")
+        expect(app.as_json(only: %i[name created_at secret]))
+          .to match(
+            "name" => app.name,
+            "created_at" => anything,
+          )
+      end
+    end
+
+    context "when called with authorized resource owner" do
+      let(:owner) { FactoryBot.create(:doorkeeper_testing_user) }
+      let(:other_owner) { FactoryBot.create(:doorkeeper_testing_user) }
+      let(:app) { FactoryBot.create(:application, secret: "123123123", owner: owner) }
+
+      before do
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          enable_application_owner confirmation: false
+        end
+      end
+
+      it "includes all the attributes" do
+        expect(app.as_json(current_resource_owner: owner))
+          .to include(
+            "secret" => "123123123",
+            "redirect_uri" => app.redirect_uri,
+            "uid" => app.uid,
+          )
+      end
+
+      it "doesn't include unsafe attributes if current owner isn't the same as owner" do
+        expect(app.as_json(current_resource_owner: other_owner))
+          .not_to include("redirect_uri")
+      end
+    end
   end
 end

data/spec/requests/applications/applications_request_spec.rb

@@ -2,127 +2,125 @@
 
 require "spec_helper"
 
-feature "Adding applications" do
-  context "in application form" do
-    background do
-      i_am_logged_in
-      visit "/oauth/applications/new"
-    end
+feature "Adding applications in application form" do
+  background do
+    i_am_logged_in
+    visit "/oauth/applications/new"
+  end
 
-    scenario "adding a valid app" do
-      fill_in "doorkeeper_application[name]", with: "My Application"
-      fill_in "doorkeeper_application[redirect_uri]",
-              with: "https://example.com"
+  scenario "adding a valid app" do
+    fill_in "doorkeeper_application[name]", with: "My Application"
+    fill_in "doorkeeper_application[redirect_uri]",
+            with: "https://example.com"
 
-      click_button "Submit"
-      i_should_see "Application created"
-      i_should_see "My Application"
-    end
+    click_button "Submit"
+    i_should_see "Application created"
+    i_should_see "My Application"
+  end
 
-    scenario "adding invalid app" do
-      click_button "Submit"
-      i_should_see "Whoops! Check your form for possible errors"
-    end
+  scenario "adding invalid app" do
+    click_button "Submit"
+    i_should_see "Whoops! Check your form for possible errors"
+  end
 
-    scenario "adding app ignoring bad scope" do
-      config_is_set("enforce_configured_scopes", false)
+  scenario "adding app ignoring bad scope" do
+    config_is_set("enforce_configured_scopes", false)
 
-      fill_in "doorkeeper_application[name]", with: "My Application"
-      fill_in "doorkeeper_application[redirect_uri]",
-              with: "https://example.com"
-      fill_in "doorkeeper_application[scopes]", with: "blahblah"
+    fill_in "doorkeeper_application[name]", with: "My Application"
+    fill_in "doorkeeper_application[redirect_uri]",
+            with: "https://example.com"
+    fill_in "doorkeeper_application[scopes]", with: "blahblah"
 
-      click_button "Submit"
-      i_should_see "Application created"
-      i_should_see "My Application"
-    end
+    click_button "Submit"
+    i_should_see "Application created"
+    i_should_see "My Application"
+  end
 
-    scenario "adding app validating bad scope" do
-      config_is_set("enforce_configured_scopes", true)
+  scenario "adding app validating bad scope" do
+    config_is_set("enforce_configured_scopes", true)
 
-      fill_in "doorkeeper_application[name]", with: "My Application"
-      fill_in "doorkeeper_application[redirect_uri]",
-              with: "https://example.com"
-      fill_in "doorkeeper_application[scopes]", with: "blahblah"
+    fill_in "doorkeeper_application[name]", with: "My Application"
+    fill_in "doorkeeper_application[redirect_uri]",
+            with: "https://example.com"
+    fill_in "doorkeeper_application[scopes]", with: "blahblah"
 
-      click_button "Submit"
-      i_should_see "Whoops! Check your form for possible errors"
-    end
+    click_button "Submit"
+    i_should_see "Whoops! Check your form for possible errors"
+  end
 
-    scenario "adding app validating scope, blank scope is accepted" do
-      config_is_set("enforce_configured_scopes", true)
+  scenario "adding app validating scope, blank scope is accepted" do
+    config_is_set("enforce_configured_scopes", true)
 
-      fill_in "doorkeeper_application[name]", with: "My Application"
-      fill_in "doorkeeper_application[redirect_uri]",
-              with: "https://example.com"
-      fill_in "doorkeeper_application[scopes]", with: ""
+    fill_in "doorkeeper_application[name]", with: "My Application"
+    fill_in "doorkeeper_application[redirect_uri]",
+            with: "https://example.com"
+    fill_in "doorkeeper_application[scopes]", with: ""
 
-      click_button "Submit"
-      i_should_see "Application created"
-      i_should_see "My Application"
-    end
+    click_button "Submit"
+    i_should_see "Application created"
+    i_should_see "My Application"
+  end
 
-    scenario "adding app validating scope, multiple scopes configured" do
-      config_is_set("enforce_configured_scopes", true)
-      scopes = Doorkeeper::OAuth::Scopes.from_array(%w[read write admin])
-      config_is_set("optional_scopes", scopes)
+  scenario "adding app validating scope, multiple scopes configured" do
+    config_is_set("enforce_configured_scopes", true)
+    scopes = Doorkeeper::OAuth::Scopes.from_array(%w[read write admin])
+    config_is_set("optional_scopes", scopes)
 
-      fill_in "doorkeeper_application[name]", with: "My Application"
-      fill_in "doorkeeper_application[redirect_uri]",
-              with: "https://example.com"
-      fill_in "doorkeeper_application[scopes]", with: "read write"
+    fill_in "doorkeeper_application[name]", with: "My Application"
+    fill_in "doorkeeper_application[redirect_uri]",
+            with: "https://example.com"
+    fill_in "doorkeeper_application[scopes]", with: "read write"
 
-      click_button "Submit"
-      i_should_see "Application created"
-      i_should_see "My Application"
-    end
+    click_button "Submit"
+    i_should_see "Application created"
+    i_should_see "My Application"
+  end
+
+  scenario "adding app validating scope, bad scope with multiple scopes configured" do
+    config_is_set("enforce_configured_scopes", true)
+    scopes = Doorkeeper::OAuth::Scopes.from_array(%w[read write admin])
+    config_is_set("optional_scopes", scopes)
+
+    fill_in "doorkeeper_application[name]", with: "My Application"
+    fill_in "doorkeeper_application[redirect_uri]",
+            with: "https://example.com"
+    fill_in "doorkeeper_application[scopes]", with: "read blah"
+
+    click_button "Submit"
+    i_should_see "Whoops! Check your form for possible errors"
+    i_should_see Regexp.new(
+      I18n.t("activerecord.errors.models.doorkeeper/application.attributes.scopes.not_match_configured"),
+      true,
+    )
+  end
 
-    scenario "adding app validating scope, bad scope with multiple scopes configured" do
-      config_is_set("enforce_configured_scopes", true)
-      scopes = Doorkeeper::OAuth::Scopes.from_array(%w[read write admin])
-      config_is_set("optional_scopes", scopes)
+  context "with blank redirect URI" do
+    scenario "adding app with blank redirect URI when configured flows requires redirect uri" do
+      config_is_set("grant_flows", %w[authorization_code implicit client_credentials])
 
       fill_in "doorkeeper_application[name]", with: "My Application"
       fill_in "doorkeeper_application[redirect_uri]",
-              with: "https://example.com"
-      fill_in "doorkeeper_application[scopes]", with: "read blah"
+              with: ""
 
       click_button "Submit"
       i_should_see "Whoops! Check your form for possible errors"
-      i_should_see Regexp.new(
-        I18n.t("activerecord.errors.models.doorkeeper/application.attributes.scopes.not_match_configured"),
-        true,
-      )
     end
 
-    context "redirect URI" do
-      scenario "adding app with blank redirect URI when configured flows requires redirect uri" do
-        config_is_set("grant_flows", %w[authorization_code implicit client_credentials])
-
-        fill_in "doorkeeper_application[name]", with: "My Application"
-        fill_in "doorkeeper_application[redirect_uri]",
-                with: ""
+    scenario "adding app with blank redirect URI when configured flows without redirect uri" do
+      config_is_set("grant_flows", %w[client_credentials password])
 
-        click_button "Submit"
-        i_should_see "Whoops! Check your form for possible errors"
-      end
-
-      scenario "adding app with blank redirect URI when configured flows without redirect uri" do
-        config_is_set("grant_flows", %w[client_credentials password])
-
-        # Visit it once again to consider grant flows
-        visit "/oauth/applications/new"
+      # Visit it once again to consider grant flows
+      visit "/oauth/applications/new"
 
-        i_should_see I18n.t("doorkeeper.applications.help.blank_redirect_uri")
+      i_should_see I18n.t("doorkeeper.applications.help.blank_redirect_uri")
 
-        fill_in "doorkeeper_application[name]", with: "My Application"
-        fill_in "doorkeeper_application[redirect_uri]",
-                with: ""
+      fill_in "doorkeeper_application[name]", with: "My Application"
+      fill_in "doorkeeper_application[redirect_uri]",
+              with: ""
 
-        click_button "Submit"
-        i_should_see "Application created"
-        i_should_see "My Application"
-      end
+      click_button "Submit"
+      i_should_see "Application created"
+      i_should_see "My Application"
     end
   end
 end

data/spec/requests/endpoints/authorization_spec.rb

@@ -70,7 +70,7 @@ feature "Authorization endpoint" do
     end
   end
 
-  context "forgery protection enabled" do
+  context "when forgery protection enabled" do
     background do
       create_resource_owner
       sign_in

data/spec/requests/endpoints/token_spec.rb

@@ -2,7 +2,7 @@
 
 require "spec_helper"
 
-describe "Token endpoint" do
+RSpec.describe "Token endpoint" do
   before do
     client_exists
     create_resource_owner
@@ -34,46 +34,52 @@ describe "Token endpoint" do
          },
          headers: { "HTTP_AUTHORIZATION" => basic_auth_header_for_client(@client) }
 
-    should_have_json "access_token", Doorkeeper::AccessToken.first.token
+    expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
   end
 
   it "returns null for expires_in when a permanent token is set" do
     config_is_set(:access_token_expires_in, nil)
+
     post token_endpoint_url(code: @authorization.token, client: @client)
-    should_have_json "access_token", Doorkeeper::AccessToken.first.token
-    should_not_have_json "expires_in"
+
+    expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
+    expect(json_response).not_to include("expires_in")
   end
 
   it "returns unsupported_grant_type for invalid grant_type param" do
     post token_endpoint_url(code: @authorization.token, client: @client, grant_type: "nothing")
 
-    should_not_have_json "access_token"
-    should_have_json "error", "unsupported_grant_type"
-    should_have_json "error_description", translated_error_message("unsupported_grant_type")
+    expect(json_response).to match(
+      "error" => "unsupported_grant_type",
+      "error_description" => translated_error_message("unsupported_grant_type"),
+    )
   end
 
   it "returns unsupported_grant_type for disabled grant flows" do
     config_is_set(:grant_flows, ["implicit"])
     post token_endpoint_url(code: @authorization.token, client: @client, grant_type: "authorization_code")
 
-    should_not_have_json "access_token"
-    should_have_json "error", "unsupported_grant_type"
-    should_have_json "error_description", translated_error_message("unsupported_grant_type")
+    expect(json_response).to match(
+      "error" => "unsupported_grant_type",
+      "error_description" => translated_error_message("unsupported_grant_type"),
+    )
   end
 
   it "returns unsupported_grant_type when refresh_token is not in use" do
     post token_endpoint_url(code: @authorization.token, client: @client, grant_type: "refresh_token")
 
-    should_not_have_json "access_token"
-    should_have_json "error", "unsupported_grant_type"
-    should_have_json "error_description", translated_error_message("unsupported_grant_type")
+    expect(json_response).to match(
+      "error" => "unsupported_grant_type",
+      "error_description" => translated_error_message("unsupported_grant_type"),
+    )
   end
 
   it "returns invalid_request if grant_type is missing" do
     post token_endpoint_url(code: @authorization.token, client: @client, grant_type: "")
 
-    should_not_have_json "access_token"
-    should_have_json "error", "invalid_request"
-    should_have_json "error_description", translated_invalid_request_error_message(:missing_param, :grant_type)
+    expect(json_response).to match(
+      "error" => "invalid_request",
+      "error_description" => translated_invalid_request_error_message(:missing_param, :grant_type),
+    )
   end
 end

data/spec/requests/flows/authorization_code_errors_spec.rb

@@ -4,6 +4,7 @@ require "spec_helper"
 
 feature "Authorization Code Flow Errors" do
   let(:client_params) { {} }
+
   background do
     default_scopes_exist :default
     config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
@@ -19,6 +20,7 @@ feature "Authorization Code Flow Errors" do
   context "with a client trying to xss resource owner" do
     let(:client_name) { "<div id='xss'>XSS</div>" }
     let(:client_params) { { name: client_name } }
+
     scenario "resource owner visit authorization endpoint" do
       visit authorization_endpoint_url(client: @client)
       expect(page).not_to have_css("#xss")
@@ -47,7 +49,7 @@ feature "Authorization Code Flow Errors" do
   end
 end
 
-describe "Authorization Code Flow Errors", "after authorization" do
+RSpec.describe "Authorization Code Flow Errors after authorization" do
   before do
     client_exists
     create_resource_owner
@@ -63,11 +65,12 @@ describe "Authorization Code Flow Errors", "after authorization" do
     # Second attempt with same token
     expect do
       post token_endpoint_url(code: @authorization.token, client: @client)
-    end.to_not(change { Doorkeeper::AccessToken.count })
+    end.not_to(change { Doorkeeper::AccessToken.count })
 
-    should_not_have_json "access_token"
-    should_have_json "error", "invalid_grant"
-    should_have_json "error_description", translated_error_message("invalid_grant")
+    expect(json_response).to match(
+      "error" => "invalid_grant",
+      "error_description" => translated_error_message("invalid_grant"),
+    )
   end
 
   it "returns :invalid_grant error for invalid grant code" do
@@ -75,8 +78,9 @@ describe "Authorization Code Flow Errors", "after authorization" do
 
     access_token_should_not_exist
 
-    should_not_have_json "access_token"
-    should_have_json "error", "invalid_grant"
-    should_have_json "error_description", translated_error_message("invalid_grant")
+    expect(json_response).to match(
+      "error" => "invalid_grant",
+      "error_description" => translated_error_message("invalid_grant"),
+    )
   end
 end