RubyGems - doorkeeper-mongodb - Versions diffs - 5.3.0 → 5.4.0 - Mend

doorkeeper-mongodb 5.3.0 → 5.4.0

Files changed (182) hide show

data/spec/requests/flows/password_spec.rb DELETED Viewed

@@ -1,356 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "Resource Owner Password Credentials Flow" do
-  context "when not setup properly" do
-    before do
-      client_exists
-      create_resource_owner
-    end
-    context "with valid user credentials" do
-      it "does not issue new token" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-    end
-  end
-  context "when grant type configured" do
-    let(:client_attributes) { { redirect_uri: nil } }
-    before do
-      config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-      client_exists(client_attributes)
-      create_resource_owner
-    end
-    context "with valid user credentials" do
-      context "with confidential client authorized using Basic auth" do
-        it "issues a new token" do
-          expect do
-            post password_token_endpoint_url(
-              resource_owner: @resource_owner,
-            ), headers: { "HTTP_AUTHORIZATION" => basic_auth_header_for_client(@client) }
-          end.to(change { Doorkeeper::AccessToken.count })
-          token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq(@client.id)
-          expect(json_response).to match(
-            "access_token" => token.token,
-            "expires_in" => an_instance_of(Integer),
-            "token_type" => "Bearer",
-            "created_at" => an_instance_of(Integer),
-          )
-        end
-      end
-      context "with non-confidential/public client" do
-        let(:client_attributes) { { confidential: false } }
-        context "when configured to check application supported grant flow" do
-          before do
-            Doorkeeper.configuration.instance_variable_set(
-              :@allow_grant_flow_for_client,
-              ->(_grant_flow, client) { client.name == "admin" },
-            )
-          end
-          scenario "forbids the request when doesn't satisfy condition" do
-            @client.update(name: "sample app")
-            expect do
-              post password_token_endpoint_url(
-                client_id: @client.uid,
-                client_secret: "foobar",
-                resource_owner: @resource_owner,
-              )
-            end.not_to(change { Doorkeeper::AccessToken.count })
-            expect(response.status).to eq(401)
-            expect(json_response).to match(
-              "error" => "invalid_client",
-              "error_description" => an_instance_of(String),
-            )
-          end
-          scenario "allows the request when satisfies condition" do
-            @client.update(name: "admin")
-            expect do
-              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-            end.to change { Doorkeeper::AccessToken.count }.by(1)
-            token = Doorkeeper::AccessToken.first
-            expect(token.application_id).to eq(@client.id)
-            expect(json_response).to include("access_token" => token.token)
-          end
-        end
-        context "when client_secret absent" do
-          it "issues a new token" do
-            expect do
-              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-            end.to change { Doorkeeper::AccessToken.count }.by(1)
-            token = Doorkeeper::AccessToken.first
-            expect(token.application_id).to eq(@client.id)
-            expect(json_response).to include("access_token" => token.token)
-          end
-        end
-        context "when client_secret present" do
-          it "issues a new token" do
-            expect do
-              post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-            end.to change { Doorkeeper::AccessToken.count }.by(1)
-            token = Doorkeeper::AccessToken.first
-            expect(token.application_id).to eq(@client.id)
-            expect(json_response).to include("access_token" => token.token)
-          end
-          context "when client_secret incorrect" do
-            it "doesn't issue new token" do
-              expect do
-                post password_token_endpoint_url(
-                  client_id: @client.uid,
-                  client_secret: "foobar",
-                  resource_owner: @resource_owner,
-                )
-              end.not_to(change { Doorkeeper::AccessToken.count })
-              expect(response.status).to eq(401)
-              expect(json_response).to include(
-                "error" => "invalid_client",
-                "error_description" => an_instance_of(String),
-              )
-            end
-          end
-        end
-      end
-      context "with confidential/private client" do
-        it "issues a new token" do
-          expect do
-            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-          token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq(@client.id)
-          expect(json_response).to include("access_token" => token.token)
-        end
-        context "when client_secret absent" do
-          it "doesn't issue new token" do
-            expect do
-              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-            end.not_to(change { Doorkeeper::AccessToken.count })
-            expect(response.status).to eq(401)
-            expect(json_response).to match(
-              "error" => "invalid_client",
-              "error_description" => an_instance_of(String),
-            )
-          end
-        end
-      end
-      it "issues new token without client credentials" do
-        expect do
-          post password_token_endpoint_url(resource_owner: @resource_owner)
-        end.to(change { Doorkeeper::AccessToken.count }.by(1))
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to be_nil
-        expect(json_response).to include("access_token" => token.token)
-      end
-      it "issues a refresh token if enabled" do
-        config_is_set(:refresh_token_enabled, true)
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        token = Doorkeeper::AccessToken.first
-        expect(json_response).to include("refresh_token" => token.refresh_token)
-      end
-      it "returns the same token if it is still accessible" do
-        allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-        client_is_authorized(@client, @resource_owner)
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        expect(Doorkeeper::AccessToken.count).to be(1)
-        expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
-      end
-      context "with valid, default scope" do
-        before do
-          default_scopes_exist :public
-        end
-        it "issues new token" do
-          expect do
-            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-          token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq(@client.id)
-          expect(json_response).to include(
-            "access_token" => token.token,
-            "scope" => "public",
-          )
-        end
-      end
-    end
-    context "when application scopes are present and differs from configured default scopes and no scope is passed" do
-      before do
-        default_scopes_exist :public
-        @client.update(scopes: "abc")
-      end
-      it "issues new token without any scope" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq(@client.id)
-        expect(token.scopes).to be_empty
-        expect(json_response).to include("access_token" => token.token)
-        expect(json_response).not_to include("scope")
-      end
-    end
-    context "when application scopes contain some of the default scopes and no scope is passed" do
-      before do
-        @client.update(scopes: "read write public")
-      end
-      it "issues new token with one default scope that are present in application scopes" do
-        default_scopes_exist :public, :admin
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq(@client.id)
-        expect(json_response).to include(
-          "access_token" => token.token,
-          "scope" => "public",
-        )
-      end
-      it "issues new token with multiple default scopes that are present in application scopes" do
-        default_scopes_exist :public, :read, :update
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq(@client.id)
-        expect(json_response).to include(
-          "access_token" => token.token,
-          "scope" => "public read",
-        )
-      end
-    end
-    context "with invalid scopes" do
-      subject do
-        post password_token_endpoint_url(
-          client: @client,
-          resource_owner: @resource_owner,
-          scope: "random",
-        )
-      end
-      it "doesn't issue new token" do
-        expect { subject }.not_to(change { Doorkeeper::AccessToken.count })
-      end
-      it "returns invalid_scope error" do
-        subject
-        expect(json_response).to include(
-          "error" => "invalid_scope",
-          "error_description" => translated_error_message(:invalid_scope),
-        )
-        expect(json_response).not_to include("access_token")
-        expect(response.status).to eq(400)
-      end
-    end
-    context "with invalid user credentials" do
-      it "doesn't issue new token with bad password" do
-        expect do
-          post password_token_endpoint_url(
-            client: @client,
-            resource_owner_username: @resource_owner.name,
-            resource_owner_password: "wrongpassword",
-          )
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-      it "doesn't issue new token without credentials" do
-        expect do
-          post password_token_endpoint_url(client: @client)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-      it "doesn't issue new token if resource_owner_from_credentials returned false or nil" do
-        config_is_set(:resource_owner_from_credentials) { false }
-        expect do
-          post password_token_endpoint_url(client: @client)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-        config_is_set(:resource_owner_from_credentials) { nil }
-        expect do
-          post password_token_endpoint_url(client: @client)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-    end
-    context "with invalid confidential client credentials" do
-      it "doesn't issue new token with bad client credentials" do
-        expect do
-          post password_token_endpoint_url(
-            client_id: @client.uid,
-            client_secret: "bad_secret",
-            resource_owner: @resource_owner,
-          )
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-    end
-    context "with invalid public client id" do
-      it "doesn't issue new token with bad client id" do
-        expect do
-          post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-    end
-  end
-end

data/spec/requests/flows/refresh_token_spec.rb DELETED Viewed

@@ -1,255 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "Refresh Token Flow" do
-  before do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-      use_refresh_token
-    end
-    client_exists
-  end
-  let(:resource_owner) { FactoryBot.create(:resource_owner) }
-  describe "issuing a refresh token" do
-    before do
-      authorization_code_exists application: @client,
-                                resource_owner_id: resource_owner.id,
-                                resource_owner_type: resource_owner.class.name
-    end
-    it "client gets the refresh token and refreshes it" do
-      post token_endpoint_url(code: @authorization.token, client: @client)
-      token = Doorkeeper::AccessToken.first
-      expect(json_response).to include(
-        "access_token" => token.token,
-        "refresh_token" => token.refresh_token,
-      )
-      expect(@authorization.reload).to be_revoked
-      post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
-      new_token = Doorkeeper::AccessToken.last
-      expect(json_response).to include(
-        "access_token" => new_token.token,
-        "refresh_token" => new_token.refresh_token,
-      )
-      expect(token.token).not_to eq(new_token.token)
-      expect(token.refresh_token).not_to eq(new_token.refresh_token)
-    end
-  end
-  describe "refreshing the token" do
-    before do
-      @token = FactoryBot.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: resource_owner.id,
-        resource_owner_type: resource_owner.class.name,
-        use_refresh_token: true,
-      )
-    end
-    context "when refresh_token revoked on use" do
-      it "client requests a token with refresh token" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include(
-          "refresh_token" => Doorkeeper::AccessToken.last.refresh_token,
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-      it "client requests a token with expired access token" do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include(
-          "refresh_token" => Doorkeeper::AccessToken.last.refresh_token,
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-    context "when refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-      it "client request a token with refresh token" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include(
-          "refresh_token" => Doorkeeper::AccessToken.last.refresh_token,
-        )
-        expect(@token.reload).to be_revoked
-      end
-      it "client request a token with expired access token" do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include(
-          "refresh_token" => Doorkeeper::AccessToken.last.refresh_token,
-        )
-        expect(@token.reload).to be_revoked
-      end
-    end
-    context "with public & private clients" do
-      let(:public_client) do
-        FactoryBot.create(
-          :application,
-          confidential: false,
-        )
-      end
-      let(:token_for_private_client) do
-        FactoryBot.create(
-          :access_token,
-          application: @client,
-          resource_owner_id: resource_owner.id,
-          resource_owner_type: resource_owner.class.name,
-          use_refresh_token: true,
-        )
-      end
-      let(:token_for_public_client) do
-        FactoryBot.create(
-          :access_token,
-          application: public_client,
-          resource_owner_id: resource_owner.id,
-          resource_owner_type: resource_owner.class.name,
-          use_refresh_token: true,
-        )
-      end
-      it "issues a new token without client_secret when refresh token was issued to a public client" do
-        post refresh_token_endpoint_url(
-          client_id: public_client.uid,
-          refresh_token: token_for_public_client.refresh_token,
-        )
-        new_token = Doorkeeper::AccessToken.last
-        expect(json_response).to include(
-          "access_token" => new_token.token,
-          "refresh_token" => new_token.refresh_token,
-        )
-      end
-      it "returns an error without credentials" do
-        post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
-        expect(json_response).to include("error" => "invalid_grant")
-      end
-      it "returns an error with wrong credentials" do
-        post refresh_token_endpoint_url(
-          client_id: "1",
-          client_secret: "1",
-          refresh_token: token_for_private_client.refresh_token,
-        )
-        expect(json_response).to match(
-          "error" => "invalid_client",
-          "error_description" => an_instance_of(String),
-        )
-      end
-    end
-    it "client gets an error for invalid refresh token" do
-      post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
-      expect(json_response).to match(
-        "error" => "invalid_grant",
-        "error_description" => an_instance_of(String),
-      )
-    end
-    it "client gets an error for revoked access token" do
-      @token.revoke
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      expect(json_response).to match(
-        "error" => "invalid_grant",
-        "error_description" => an_instance_of(String),
-      )
-    end
-    it "second of simultaneous client requests get an error for revoked access token" do
-      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      expect(json_response).to match(
-        "error" => "invalid_grant",
-        "error_description" => an_instance_of(String),
-      )
-    end
-  end
-  context "when refreshing the token with multiple sessions (devices)" do
-    before do
-      # enable password auth to simulate other devices
-      config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) do
-        User.authenticate! params[:username], params[:password]
-      end
-      create_resource_owner
-      _another_token = post password_token_endpoint_url(
-        client: @client, resource_owner: resource_owner,
-      )
-      last_token.update(created_at: 5.seconds.ago)
-      @token = FactoryBot.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: resource_owner.id,
-        resource_owner_type: resource_owner.class.name,
-        use_refresh_token: true,
-      )
-      @token.update_attribute :expires_in, -100
-    end
-    context "when refresh_token revoked on use" do
-      it "client request a token after creating another token with the same user" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include("refresh_token" => last_token.refresh_token)
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-    context "when refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-      it "client request a token after creating another token with the same user" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include("refresh_token" => last_token.refresh_token)
-        expect(@token.reload).to be_revoked
-      end
-    end
-    def last_token
-      Doorkeeper::AccessToken.last_authorized_token_for(
-        @client.id, resource_owner,
-      )
-    end
-  end
-end