doorkeeper-mongodb 5.2.1 → 5.2.3

data/spec/controllers/tokens_controller_spec.rb

@@ -2,12 +2,15 @@
 
 require "spec_helper"
 
-describe Doorkeeper::TokensController do
+RSpec.describe Doorkeeper::TokensController do
+  subject { JSON.parse(response.body) }
+
   let(:client) { FactoryBot.create :application }
   let!(:user)  { User.create!(name: "Joe", password: "sekret") }
 
   before do
     Doorkeeper.configure do
+      orm DOORKEEPER_ORM
       resource_owner_from_credentials do
         User.first
       end
@@ -16,8 +19,6 @@ describe Doorkeeper::TokensController do
     allow(Doorkeeper.configuration).to receive(:grant_flows).and_return(["password"])
   end
 
-  subject { JSON.parse(response.body) }
-
   describe "POST #create" do
     before do
       post :create, params: {
@@ -70,7 +71,7 @@ describe Doorkeeper::TokensController do
     end
 
     it "include error_description in response" do
-      expect(subject["error_description"]).to be
+      expect(subject["error_description"]).to be_present
     end
 
     it "does not include access token in response" do
@@ -104,12 +105,12 @@ describe Doorkeeper::TokensController do
         }
       end
 
-      it "should call :before_successful_authorization callback" do
+      it "calls :before_successful_authorization callback" do
         expect(Doorkeeper.configuration)
           .to receive_message_chain(:before_successful_authorization, :call).with(instance_of(described_class), nil)
       end
 
-      it "should call :after_successful_authorization callback" do
+      it "calls :after_successful_authorization callback" do
         expect(Doorkeeper.configuration)
           .to receive_message_chain(:after_successful_authorization, :call)
           .with(instance_of(described_class), instance_of(Doorkeeper::OAuth::Hooks::Context))
@@ -125,12 +126,12 @@ describe Doorkeeper::TokensController do
         }
       end
 
-      it "should call :before_successful_authorization callback" do
+      it "calls :before_successful_authorization callback" do
         expect(Doorkeeper.configuration)
           .to receive_message_chain(:before_successful_authorization, :call).with(instance_of(described_class), nil)
       end
 
-      it "should not call :after_successful_authorization callback" do
+      it "does not call :after_successful_authorization callback" do
         expect(Doorkeeper.configuration).not_to receive(:after_successful_authorization)
       end
     end
@@ -190,9 +191,11 @@ describe Doorkeeper::TokensController do
     context "when associated app is confidential" do
       let(:client) { FactoryBot.create(:application, confidential: true) }
       let(:oauth_client) { Doorkeeper::OAuth::Client.new(client) }
+      let(:server) { instance_double(Doorkeeper::Server) }
 
-      before(:each) do
-        allow_any_instance_of(Doorkeeper::Server).to receive(:client) { oauth_client }
+      before do
+        allow(Doorkeeper::Server).to receive(:new).and_return(server)
+        allow(server).to receive(:client).and_return(oauth_client)
       end
 
       it "returns 200" do
@@ -231,30 +234,35 @@ describe Doorkeeper::TokensController do
     let(:access_token) { FactoryBot.create(:access_token, application: client) }
     let(:token_for_introspection) { FactoryBot.create(:access_token, application: client) }
 
-    context "authorized using valid Bearer token" do
+    context "when authorized using valid Bearer token" do
       it "responds with full token introspection" do
         request.headers["Authorization"] = "Bearer #{access_token.token}"
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", true
+        expect(json_response).to include("active" => true)
         expect(json_response).to include("client_id", "token_type", "exp", "iat")
       end
     end
 
-    context "authorized using Client Credentials of the client that token is issued to" do
+    context "when authorized using Client Credentials of the client that token is issued to" do
       it "responds with full token introspection" do
         request.headers["Authorization"] = basic_auth_header_for_client(client)
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", true
-        expect(json_response).to include("client_id", "token_type", "exp", "iat")
-        should_have_json "client_id", client.uid
+        expect(json_response).to match(
+          "active" => true,
+          "client_id" => client.uid,
+          "token_type" => "Bearer",
+          "scope" => nil,
+          "exp" => an_instance_of(Integer),
+          "iat" => an_instance_of(Integer),
+        )
       end
     end
 
-    context "configured token introspection disabled" do
+    context "when token introspection disabled" do
       before do
         Doorkeeper.configure do
           orm DOORKEEPER_ORM
@@ -269,12 +277,12 @@ describe Doorkeeper::TokensController do
 
         response_status_should_be 401
 
-        should_not_have_json "active"
-        should_have_json "error", "invalid_token"
+        expect(json_response).not_to include("active")
+        expect(json_response).to include("error" => "invalid_token")
       end
     end
 
-    context "using custom introspection response" do
+    context "when custom introspection response configured" do
       before do
         Doorkeeper.configure do
           orm DOORKEEPER_ORM
@@ -292,13 +300,20 @@ describe Doorkeeper::TokensController do
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        expect(json_response).to include("client_id", "token_type", "exp", "iat", "sub", "aud")
-        should_have_json "sub", "Z5O3upPC88QrAjx00dis"
-        should_have_json "aud", "https://protected.example.net/resource"
+        expect(json_response).to match(
+          "active" => true,
+          "client_id" => client.uid,
+          "token_type" => "Bearer",
+          "scope" => nil,
+          "exp" => an_instance_of(Integer),
+          "iat" => an_instance_of(Integer),
+          "aud" => "https://protected.example.net/resource",
+          "sub" => "Z5O3upPC88QrAjx00dis",
+        )
       end
     end
 
-    context "public access token" do
+    context "when access token is public" do
       let(:token_for_introspection) { FactoryBot.create(:access_token, application: nil) }
 
       it "responds with full token introspection" do
@@ -306,13 +321,18 @@ describe Doorkeeper::TokensController do
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", true
-        expect(json_response).to include("client_id", "token_type", "exp", "iat")
-        should_have_json "client_id", nil
+        expect(json_response).to match(
+          "active" => true,
+          "client_id" => nil,
+          "token_type" => "Bearer",
+          "scope" => nil,
+          "exp" => an_instance_of(Integer),
+          "iat" => an_instance_of(Integer),
+        )
       end
     end
 
-    context "token was issued to a different client than is making this request" do
+    context "when token was issued to a different client than is making this request" do
       let(:different_client) { FactoryBot.create(:application) }
 
       it "responds with only active state" do
@@ -322,12 +342,11 @@ describe Doorkeeper::TokensController do
 
         expect(response).to be_successful
 
-        should_have_json "active", false
-        expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        expect(json_response).to match("active" => false)
       end
     end
 
-    context "introspection request authorized by a client and allow_token_introspection is true" do
+    context "when introspection request authorized by a client and allow_token_introspection is true" do
       let(:different_client) { FactoryBot.create(:application) }
 
       before do
@@ -341,13 +360,18 @@ describe Doorkeeper::TokensController do
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", true
-        expect(json_response).to include("client_id", "token_type", "exp", "iat")
-        should_have_json "client_id", client.uid
+        expect(json_response).to match(
+          "active" => true,
+          "client_id" => client.uid,
+          "token_type" => "Bearer",
+          "scope" => nil,
+          "exp" => an_instance_of(Integer),
+          "iat" => an_instance_of(Integer),
+        )
       end
     end
 
-    context "allow_token_introspection requires authorized token with special scope" do
+    context "when allow_token_introspection requires authorized token with special scope" do
       let(:access_token) { FactoryBot.create(:access_token, scopes: "introspection") }
 
       before do
@@ -361,8 +385,14 @@ describe Doorkeeper::TokensController do
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", true
-        expect(json_response).to include("client_id", "token_type", "exp", "iat")
+        expect(json_response).to match(
+          "active" => true,
+          "client_id" => client.uid,
+          "token_type" => "Bearer",
+          "scope" => nil,
+          "exp" => an_instance_of(Integer),
+          "iat" => an_instance_of(Integer),
+        )
       end
 
       it "responds with invalid_token error if authorized token doesn't have introspection scope" do
@@ -374,12 +404,15 @@ describe Doorkeeper::TokensController do
 
         response_status_should_be 401
 
-        should_not_have_json "active"
-        should_have_json "error", "invalid_token"
+        expect(json_response).to match(
+          "error" => "invalid_token",
+          "error_description" => an_instance_of(String),
+          "state" => "unauthorized",
+        )
       end
     end
 
-    context "authorized using invalid Bearer token" do
+    context "when authorized using invalid Bearer token" do
       let(:access_token) do
         FactoryBot.create(:access_token, application: client, revoked_at: 1.day.ago)
       end
@@ -391,12 +424,15 @@ describe Doorkeeper::TokensController do
 
         response_status_should_be 401
 
-        should_not_have_json "active"
-        should_have_json "error", "invalid_token"
+        expect(json_response).to match(
+          "error" => "invalid_token",
+          "error_description" => an_instance_of(String),
+          "state" => "unauthorized",
+        )
       end
     end
 
-    context "authorized using the Bearer token that need to be introspected" do
+    context "when authorized using the Bearer token that need to be introspected" do
       it "responds with invalid token error" do
         request.headers["Authorization"] = "Bearer #{access_token.token}"
 
@@ -404,12 +440,15 @@ describe Doorkeeper::TokensController do
 
         response_status_should_be 401
 
-        should_not_have_json "active"
-        should_have_json "error", "invalid_token"
+        expect(json_response).to match(
+          "error" => "invalid_token",
+          "error_description" => an_instance_of(String),
+          "state" => "unauthorized",
+        )
       end
     end
 
-    context "using invalid credentials to authorize" do
+    context "when invalid credentials used to authorize" do
       let(:client) { double(uid: "123123", secret: "666999") }
       let(:access_token) { FactoryBot.create(:access_token) }
 
@@ -421,24 +460,25 @@ describe Doorkeeper::TokensController do
         expect(response).not_to be_successful
         response_status_should_be 401
 
-        should_not_have_json "active"
-        should_have_json "error", "invalid_client"
+        expect(json_response).to match(
+          "error" => "invalid_client",
+          "error_description" => an_instance_of(String),
+        )
       end
     end
 
-    context "using wrong token value" do
-      context "authorized using client credentials" do
+    context "when wrong token value used" do
+      context "when authorized using client credentials" do
         it "responds with only active state" do
           request.headers["Authorization"] = basic_auth_header_for_client(client)
 
           post :introspect, params: { token: SecureRandom.hex(16) }
 
-          should_have_json "active", false
-          expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+          expect(json_response).to match("active" => false)
         end
       end
 
-      context "authorized using valid Bearer token" do
+      context "when authorized using valid Bearer token" do
         it "responds with invalid_token error" do
           request.headers["Authorization"] = "Bearer #{access_token.token}"
 
@@ -446,8 +486,11 @@ describe Doorkeeper::TokensController do
 
           response_status_should_be 401
 
-          should_not_have_json "active"
-          should_have_json "error", "invalid_token"
+          expect(json_response).to match(
+            "error" => "invalid_token",
+            "error_description" => an_instance_of(String),
+            "state" => "unauthorized",
+          )
         end
       end
     end
@@ -462,8 +505,7 @@ describe Doorkeeper::TokensController do
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", false
-        expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        expect(json_response).to match("active" => false)
       end
     end
 
@@ -477,12 +519,11 @@ describe Doorkeeper::TokensController do
 
         post :introspect, params: { token: token_for_introspection.token }
 
-        should_have_json "active", false
-        expect(json_response).not_to include("client_id", "token_type", "exp", "iat")
+        expect(json_response).to match("active" => false)
       end
     end
 
-    context "unauthorized (no bearer token or client credentials)" do
+    context "when unauthorized (no bearer token or client credentials)" do
       let(:token_for_introspection) { FactoryBot.create(:access_token) }
 
       it "responds with invalid_request error" do
@@ -491,8 +532,10 @@ describe Doorkeeper::TokensController do
         expect(response).not_to be_successful
         response_status_should_be 400
 
-        should_not_have_json "active"
-        should_have_json "error", "invalid_request"
+        expect(json_response).to match(
+          "error" => "invalid_request",
+          "error_description" => an_instance_of(String),
+        )
       end
     end
   end

data/spec/doorkeeper/redirect_uri_validator_spec.rb

@@ -0,0 +1,183 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Doorkeeper::RedirectUriValidator do
+  subject(:client) do
+    FactoryBot.create(:application)
+  end
+
+  it "is valid when the uri is a uri" do
+    client.redirect_uri = "https://example.com/callback"
+    expect(client).to be_valid
+  end
+
+  # Most mobile and desktop operating systems allow apps to register a custom URL
+  # scheme that will launch the app when a URL with that scheme is visited from
+  # the system browser.
+  #
+  # @see https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uris-native-apps/
+  it "is valid when the uri is custom native URI" do
+    client.redirect_uri = "myapp:/callback"
+    expect(client).to be_valid
+  end
+
+  it "is valid when the uri has a query parameter" do
+    client.redirect_uri = "https://example.com/abcd?xyz=123"
+    expect(client).to be_valid
+  end
+
+  it "accepts nonstandard oob redirect uri" do
+    client.redirect_uri = "urn:ietf:wg:oauth:2.0:oob"
+    expect(client).to be_valid
+  end
+
+  it "accepts nonstandard oob:auto redirect uri" do
+    client.redirect_uri = "urn:ietf:wg:oauth:2.0:oob:auto"
+    expect(client).to be_valid
+  end
+
+  it "is invalid when the uri is not a uri" do
+    client.redirect_uri = "]"
+    expect(client).not_to be_valid
+    expect(client.errors[:redirect_uri].first).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.invalid_uri"))
+  end
+
+  it "is invalid when the uri is relative" do
+    client.redirect_uri = "/abcd"
+    expect(client).not_to be_valid
+    expect(client.errors[:redirect_uri].first).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.relative_uri"))
+  end
+
+  it "is invalid when the uri has a fragment" do
+    client.redirect_uri = "https://example.com/abcd#xyz"
+    expect(client).not_to be_valid
+    expect(client.errors[:redirect_uri].first).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.fragment_present"))
+  end
+
+  it "is invalid when scheme resolves to localhost (needs an explict scheme)" do
+    client.redirect_uri = "localhost:80"
+    expect(client).to be_invalid
+    expect(client.errors[:redirect_uri].first).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.unspecified_scheme"))
+  end
+
+  it "is invalid if an ip address" do
+    client.redirect_uri = "127.0.0.1:8080"
+    expect(client).to be_invalid
+  end
+
+  it "accepts an ip address based URI if a scheme is specified" do
+    client.redirect_uri = "https://127.0.0.1:8080"
+    expect(client).to be_valid
+  end
+
+  context "when force secured uri configured" do
+    it "accepts a valid uri" do
+      client.redirect_uri = "https://example.com/callback"
+      expect(client).to be_valid
+    end
+
+    it "accepts custom scheme redirect uri (as per rfc8252 section 7.1)" do
+      client.redirect_uri = "com.example.app:/oauth/callback"
+      expect(client).to be_valid
+    end
+
+    it "accepts custom scheme redirect uri (as per rfc8252 section 7.1) #2" do
+      client.redirect_uri = "com.example.app:/test"
+      expect(client).to be_valid
+    end
+
+    it "accepts custom scheme redirect uri (common misconfiguration we have decided to allow)" do
+      client.redirect_uri = "com.example.app://oauth/callback"
+      expect(client).to be_valid
+    end
+
+    it "accepts custom scheme redirect uri (common misconfiguration we have decided to allow) #2" do
+      client.redirect_uri = "com.example.app://test"
+      expect(client).to be_valid
+    end
+
+    it "accepts a non secured protocol when disabled" do
+      client.redirect_uri = "http://example.com/callback"
+      allow(Doorkeeper.configuration).to receive(
+        :force_ssl_in_redirect_uri,
+      ).and_return(false)
+      expect(client).to be_valid
+    end
+
+    it "accepts a non secured protocol when conditional option defined" do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        force_ssl_in_redirect_uri { |uri| uri.host != "localhost" }
+      end
+
+      application = FactoryBot.build(:application, redirect_uri: "http://localhost/callback")
+      expect(application).to be_valid
+
+      application = FactoryBot.build(:application, redirect_uri: "https://test.com/callback")
+      expect(application).to be_valid
+
+      application = FactoryBot.build(:application, redirect_uri: "http://localhost2/callback")
+      expect(application).not_to be_valid
+
+      application = FactoryBot.build(:application, redirect_uri: "https://test.com/callback")
+      expect(application).to be_valid
+    end
+
+    it "forbids redirect uri if required" do
+      client.redirect_uri = "javascript://document.cookie"
+
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        forbid_redirect_uri { |uri| uri.scheme == "javascript" }
+      end
+
+      expect(client).to be_invalid
+      expect(client.errors[:redirect_uri].first).to eq("is forbidden by the server.")
+
+      client.redirect_uri = "https://localhost/callback"
+      expect(client).to be_valid
+    end
+
+    it "invalidates the uri when the uri does not use a secure protocol" do
+      client.redirect_uri = "http://example.com/callback"
+      expect(client).not_to be_valid
+      error = client.errors[:redirect_uri].first
+      expect(error).to eq(I18n.t("activerecord.errors.models.doorkeeper/application.attributes.redirect_uri.secured_uri"))
+    end
+  end
+
+  context "with multiple redirect uri" do
+    it "invalidates the second uri when the first uri is native uri" do
+      client.redirect_uri = "urn:ietf:wg:oauth:2.0:oob\nexample.com/callback"
+      expect(client).to be_invalid
+    end
+  end
+
+  context "with blank redirect URI" do
+    it "forbids blank redirect uri by default" do
+      client.redirect_uri = ""
+
+      expect(client).to be_invalid
+      expect(client.errors[:redirect_uri]).not_to be_blank
+    end
+
+    it "forbids blank redirect uri by custom condition" do
+      Doorkeeper.configure do
+        orm DOORKEEPER_ORM
+        allow_blank_redirect_uri do |_grant_flows, application|
+          application.name == "admin app"
+        end
+      end
+
+      client.name = "test app"
+      client.redirect_uri = ""
+
+      expect(client).to be_invalid
+      expect(client.errors[:redirect_uri]).not_to be_blank
+
+      client.name = "admin app"
+      expect(client).to be_valid
+    end
+  end
+end

data/spec/{lib → doorkeeper}/server_spec.rb

@@ -2,13 +2,14 @@
 
 require "spec_helper"
 
-describe Doorkeeper::Server do
-  let(:fake_class) { double :fake_class }
-
+RSpec.describe Doorkeeper::Server do
   subject do
-    described_class.new
+    described_class.new(context)
   end
 
+  let(:fake_class) { double :fake_class }
+  let(:context) { double :context }
+
   describe ".authorization_request" do
     it "raises error when strategy does not match phase" do
       expect do

data/spec/{lib → doorkeeper}/stale_records_cleaner_spec.rb

@@ -2,7 +2,7 @@
 
 require "spec_helper"
 
-describe Doorkeeper::StaleRecordsCleaner do
+RSpec.describe Doorkeeper::StaleRecordsCleaner do
   let(:cleaner) { described_class.new(model) }
   let(:models_by_name) do
     {
@@ -14,7 +14,7 @@ describe Doorkeeper::StaleRecordsCleaner do
 
   context "when ORM has no cleaner class" do
     it "raises an error" do
-      allow_any_instance_of(Doorkeeper::Config).to receive(:orm).and_return("hibernate")
+      allow(Doorkeeper.configuration).to receive(:orm).and_return("hibernate")
 
       expect do
         described_class.for(Doorkeeper::AccessToken)
@@ -38,7 +38,7 @@ describe Doorkeeper::StaleRecordsCleaner do
           end
 
           it "removes the record" do
-            expect { subject }.to change { model.count }.to(0)
+            expect { subject }.to change(model, :count).to(0)
           end
         end
 
@@ -50,7 +50,7 @@ describe Doorkeeper::StaleRecordsCleaner do
           end
 
           it "keeps the record" do
-            expect { subject }.not_to(change { model.count })
+            expect { subject }.not_to(change(model, :count))
           end
         end
 
@@ -62,13 +62,14 @@ describe Doorkeeper::StaleRecordsCleaner do
           end
 
           it "keeps the record" do
-            expect { subject }.not_to(change { model.count })
+            expect { subject }.not_to(change(model, :count))
           end
         end
       end
 
       describe "#clean_expired" do
         subject { cleaner.clean_expired(ttl) }
+
         let(:ttl) { 500 }
         let(:expiry_border) { ttl.seconds.ago }
 
@@ -81,7 +82,7 @@ describe Doorkeeper::StaleRecordsCleaner do
           end
 
           it "removes the record" do
-            expect { subject }.to change { model.count }.to(0)
+            expect { subject }.to change(model, :count).to(0)
           end
         end
 
@@ -93,7 +94,7 @@ describe Doorkeeper::StaleRecordsCleaner do
           end
 
           it "keeps the record" do
-            expect { subject }.not_to(change { model.count })
+            expect { subject }.not_to(change(model, :count))
           end
         end
       end

data/spec/{version → doorkeeper}/version_spec.rb

@@ -2,14 +2,14 @@
 
 require "spec_helper"
 
-describe Doorkeeper::VERSION do
-  context "#gem_version" do
+RSpec.describe Doorkeeper::VERSION do
+  describe "#gem_version" do
     it "returns Gem::Version instance" do
       expect(Doorkeeper.gem_version).to be_an_instance_of(Gem::Version)
     end
   end
 
-  context "VERSION" do
+  describe "VERSION" do
     it "returns gem version string" do
       expect(Doorkeeper::VERSION::STRING).to match(/^\d+\.\d+\.\d+(\.\w+)?$/)
     end