RubyGems - doorkeeper-mongodb - Versions diffs - 5.3.0 → 5.5.0 - Mend

doorkeeper-mongodb 5.3.0 → 5.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

data/spec/lib/oauth/pre_authorization_spec.rb DELETED Viewed

@@ -1,230 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe Doorkeeper::OAuth::PreAuthorization do
-  subject do
-    described_class.new(server, attributes)
-  end
-  let(:server) do
-    server = Doorkeeper.configuration
-    allow(server).to receive(:default_scopes).and_return(Doorkeeper::OAuth::Scopes.from_string("default"))
-    allow(server).to receive(:optional_scopes).and_return(Doorkeeper::OAuth::Scopes.from_string("public profile"))
-    server
-  end
-  let(:application) { FactoryBot.create(:application, redirect_uri: "https://app.com/callback") }
-  let(:client) { Doorkeeper::OAuth::Client.find(application.uid) }
-  let :attributes do
-    {
-      client_id: client.uid,
-      response_type: "code",
-      redirect_uri: "https://app.com/callback",
-      state: "save-this",
-      current_resource_owner: Object.new,
-    }
-  end
-  it "is authorizable when request is valid" do
-    expect(subject).to be_authorizable
-  end
-  it "accepts code as response type" do
-    attributes[:response_type] = "code"
-    expect(subject).to be_authorizable
-  end
-  it "accepts token as response type" do
-    allow(server).to receive(:grant_flows).and_return(["implicit"])
-    attributes[:response_type] = "token"
-    expect(subject).to be_authorizable
-  end
-  context "when using default grant flows" do
-    it 'accepts "code" as response type' do
-      attributes[:response_type] = "code"
-      expect(subject).to be_authorizable
-    end
-    it 'accepts "token" as response type' do
-      allow(server).to receive(:grant_flows).and_return(["implicit"])
-      attributes[:response_type] = "token"
-      expect(subject).to be_authorizable
-    end
-  end
-  context "when authorization code grant flow is disabled" do
-    before do
-      allow(server).to receive(:grant_flows).and_return(["implicit"])
-    end
-    it 'does not accept "code" as response type' do
-      attributes[:response_type] = "code"
-      expect(subject).not_to be_authorizable
-    end
-  end
-  context "when implicit grant flow is disabled" do
-    before do
-      allow(server).to receive(:grant_flows).and_return(["authorization_code"])
-    end
-    it 'does not accept "token" as response type' do
-      attributes[:response_type] = "token"
-      expect(subject).not_to be_authorizable
-    end
-  end
-  context "when grant flow is client credentials & redirect_uri is nil" do
-    before do
-      allow(server).to receive(:grant_flows).and_return(["client_credentials"])
-      allow(Doorkeeper.configuration).to receive(:allow_grant_flow_for_client?).and_return(false)
-      application.update_column :redirect_uri, nil
-    end
-    it "is not authorizable" do
-      expect(subject).not_to be_authorizable
-    end
-  end
-  context "when client application does not restrict valid scopes" do
-    it "accepts valid scopes" do
-      attributes[:scope] = "public"
-      expect(subject).to be_authorizable
-    end
-    it "rejects (globally) non-valid scopes" do
-      attributes[:scope] = "invalid"
-      expect(subject).not_to be_authorizable
-    end
-    it "accepts scopes which are permitted for grant_type" do
-      allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:public])
-      attributes[:scope] = "public"
-      expect(subject).to be_authorizable
-    end
-    it "rejects scopes which are not permitted for grant_type" do
-      allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:profile])
-      attributes[:scope] = "public"
-      expect(subject).not_to be_authorizable
-    end
-  end
-  context "when client application restricts valid scopes" do
-    let(:application) do
-      FactoryBot.create(:application, scopes: Doorkeeper::OAuth::Scopes.from_string("public nonsense"))
-    end
-    it "accepts valid scopes" do
-      attributes[:scope] = "public"
-      expect(subject).to be_authorizable
-    end
-    it "rejects (globally) non-valid scopes" do
-      attributes[:scope] = "invalid"
-      expect(subject).not_to be_authorizable
-    end
-    it "rejects (application level) non-valid scopes" do
-      attributes[:scope] = "profile"
-      expect(subject).not_to be_authorizable
-    end
-    it "accepts scopes which are permitted for grant_type" do
-      allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:public])
-      attributes[:scope] = "public"
-      expect(subject).to be_authorizable
-    end
-    it "rejects scopes which are not permitted for grant_type" do
-      allow(server).to receive(:scopes_by_grant_type).and_return(authorization_code: [:profile])
-      attributes[:scope] = "public"
-      expect(subject).not_to be_authorizable
-    end
-  end
-  context "when scope is not provided to pre_authorization" do
-    before { attributes[:scope] = nil }
-    context "when default scopes is provided" do
-      it "uses default scopes" do
-        allow(server).to receive(:default_scopes).and_return(Doorkeeper::OAuth::Scopes.from_string("default_scope"))
-        expect(subject).to be_authorizable
-        expect(subject.scope).to eq("default_scope")
-        expect(subject.scopes).to eq(Doorkeeper::OAuth::Scopes.from_string("default_scope"))
-      end
-    end
-    context "when default scopes is none" do
-      it "not be authorizable when none default scope" do
-        allow(server).to receive(:default_scopes).and_return(Doorkeeper::OAuth::Scopes.new)
-        expect(subject).not_to be_authorizable
-      end
-    end
-  end
-  it "matches the redirect uri against client's one" do
-    attributes[:redirect_uri] = "http://nothesame.com"
-    expect(subject).not_to be_authorizable
-  end
-  it "stores the state" do
-    expect(subject.state).to eq("save-this")
-  end
-  it "rejects if response type is not allowed" do
-    attributes[:response_type] = "whops"
-    expect(subject).not_to be_authorizable
-  end
-  it "requires an existing client" do
-    attributes[:client_id] = nil
-    expect(subject).not_to be_authorizable
-  end
-  it "requires a redirect uri" do
-    attributes[:redirect_uri] = nil
-    expect(subject).not_to be_authorizable
-  end
-  context "when resource_owner cannot access client application" do
-    before { allow(Doorkeeper.configuration).to receive(:authorize_resource_owner_for_client).and_return(->(*_) { false }) }
-    it "is not authorizable" do
-      expect(subject).not_to be_authorizable
-    end
-  end
-  describe "as_json" do
-    before { subject.authorizable? }
-    it { is_expected.to respond_to :as_json }
-    shared_examples "returns the pre authorization" do
-      it "returns the pre authorization" do
-        expect(json[:client_id]).to eq client.uid
-        expect(json[:redirect_uri]).to eq subject.redirect_uri
-        expect(json[:state]).to eq subject.state
-        expect(json[:response_type]).to eq subject.response_type
-        expect(json[:scope]).to eq subject.scope
-        expect(json[:client_name]).to eq client.name
-        expect(json[:status]).to eq I18n.t("doorkeeper.pre_authorization.status")
-      end
-    end
-    context "when called without params" do
-      let(:json) { subject.as_json }
-      include_examples "returns the pre authorization"
-    end
-    context "when called with params" do
-      let(:json) { subject.as_json(foo: "bar") }
-      include_examples "returns the pre authorization"
-    end
-  end
-end

data/spec/lib/oauth/refresh_token_request_spec.rb DELETED Viewed

@@ -1,166 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe Doorkeeper::OAuth::RefreshTokenRequest do
-  subject { described_class.new(server, refresh_token, credentials) }
-  let(:server) do
-    double :server, access_token_expires_in: 2.minutes
-  end
-  let(:refresh_token) do
-    FactoryBot.create(:access_token, use_refresh_token: true)
-  end
-  let(:client) { refresh_token.application }
-  let(:credentials) { Doorkeeper::OAuth::Client::Credentials.new(client.uid, client.secret) }
-  before do
-    allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-    allow(server).to receive(:option_defined?).with(:custom_access_token_expires_in).and_return(false)
-  end
-  it "issues a new token for the client" do
-    expect { subject.authorize }.to change { client.reload.access_tokens.count }.by(1)
-    # #sort_by used for MongoDB ORM extensions for valid ordering
-    expect(client.reload.access_tokens.max_by(&:created_at).expires_in).to eq(refresh_token.expires_in)
-  end
-  it "issues a new token for the client with the same expiry as of original token" do
-    allow(server).to receive(:option_defined?).with(:custom_access_token_expires_in).and_return(true)
-    allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-    described_class.new(server, refresh_token, credentials).authorize
-    # #sort_by used for MongoDB ORM extensions for valid ordering
-    expect(client.reload.access_tokens.max_by(&:created_at).expires_in).to eq(refresh_token.expires_in)
-  end
-  it "revokes the previous token" do
-    expect { subject.authorize }.to change(refresh_token, :revoked?).from(false).to(true)
-  end
-  it "calls configured request callback methods" do
-    expect(Doorkeeper.configuration.before_successful_strategy_response)
-      .to receive(:call).with(subject).once
-    expect(Doorkeeper.configuration.after_successful_strategy_response)
-      .to receive(:call).with(subject, instance_of(Doorkeeper::OAuth::TokenResponse)).once
-    subject.authorize
-  end
-  it "requires the refresh token" do
-    request = described_class.new(server, nil, credentials)
-    request.validate
-    expect(request.error).to eq(:invalid_request)
-    expect(request.missing_param).to eq(:refresh_token)
-  end
-  it "requires credentials to be valid if provided" do
-    credentials = Doorkeeper::OAuth::Client::Credentials.new("invalid", "invalid")
-    request = described_class.new(server, refresh_token, credentials)
-    request.validate
-    expect(request.error).to eq(:invalid_client)
-  end
-  it "requires the token's client and current client to match" do
-    other_app = FactoryBot.create(:application)
-    credentials = Doorkeeper::OAuth::Client::Credentials.new(other_app.uid, other_app.secret)
-    request = described_class.new(server, refresh_token, credentials)
-    request.validate
-    expect(request.error).to eq(:invalid_grant)
-  end
-  it "rejects revoked tokens" do
-    refresh_token.revoke
-    subject.validate
-    expect(subject.error).to eq(:invalid_grant)
-  end
-  it "accepts expired tokens" do
-    refresh_token.expires_in = -1
-    refresh_token.save
-    subject.validate
-    expect(subject).to be_valid
-  end
-  context "when refresh tokens expire on access token use" do
-    before do
-      allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(true)
-    end
-    it "issues a new token for the client" do
-      expect { subject.authorize }.to change { client.reload.access_tokens.count }.by(1)
-    end
-    it "does not revoke the previous token" do
-      subject.authorize
-      expect(refresh_token).not_to be_revoked
-    end
-    it "sets the previous refresh token in the new access token" do
-      subject.authorize
-      expect(
-        # #sort_by used for MongoDB ORM extensions for valid ordering
-        client.access_tokens.max_by(&:created_at).previous_refresh_token,
-      ).to eq(refresh_token.refresh_token)
-    end
-  end
-  context "with clientless access tokens" do
-    subject { described_class.new server, refresh_token, nil }
-    let!(:refresh_token) { FactoryBot.create(:clientless_access_token, use_refresh_token: true) }
-    it "issues a new token without a client" do
-      expect { subject.authorize }.to change { Doorkeeper::AccessToken.count }.by(1)
-    end
-  end
-  context "with scopes" do
-    subject { described_class.new server, refresh_token, credentials, parameters }
-    let(:refresh_token) do
-      FactoryBot.create :access_token,
-                        use_refresh_token: true,
-                        scopes: "public write"
-    end
-    let(:parameters) { {} }
-    it "transfers scopes from the old token to the new token" do
-      subject.authorize
-      expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public write])
-    end
-    it "reduces scopes to the provided scopes" do
-      parameters[:scopes] = "public"
-      subject.authorize
-      expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public])
-    end
-    it "validates that scopes are included in the original access token" do
-      parameters[:scopes] = "public update"
-      subject.validate
-      expect(subject.error).to eq(:invalid_scope)
-    end
-    it "uses params[:scope] in favor of scopes if present (valid)" do
-      parameters[:scopes] = "public update"
-      parameters[:scope] = "public"
-      subject.authorize
-      expect(Doorkeeper::AccessToken.last.scopes).to eq(%i[public])
-    end
-    it "uses params[:scope] in favor of scopes if present (invalid)" do
-      parameters[:scopes] = "public"
-      parameters[:scope] = "public update"
-      subject.validate
-      expect(subject.error).to eq(:invalid_scope)
-    end
-  end
-end

data/spec/lib/oauth/scopes_spec.rb DELETED Viewed

@@ -1,146 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe Doorkeeper::OAuth::Scopes do
-  describe "#add" do
-    it "allows you to add scopes with symbols" do
-      subject.add :public
-      expect(subject.all).to eq(["public"])
-    end
-    it "allows you to add scopes with strings" do
-      subject.add "public"
-      expect(subject.all).to eq(["public"])
-    end
-    it "do not add already included scopes" do
-      subject.add :public
-      subject.add :public
-      expect(subject.all).to eq(["public"])
-    end
-  end
-  describe "#exists" do
-    before do
-      subject.add :public
-    end
-    it "returns true if scope with given name is present" do
-      expect(subject).to exist("public")
-    end
-    it "returns false if scope with given name does not exist" do
-      expect(subject).not_to exist("other")
-    end
-    it "handles symbols" do
-      expect(subject).to exist(:public)
-      expect(subject).not_to exist(:other)
-    end
-  end
-  describe ".from_string" do
-    subject { described_class.from_string(string) }
-    let(:string) { "public write" }
-    it { expect(subject).to be_a(described_class) }
-    describe "#all" do
-      it "is an array of the expected scopes" do
-        scopes_array = subject.all
-        expect(scopes_array.size).to eq(2)
-        expect(scopes_array).to include("public")
-        expect(scopes_array).to include("write")
-      end
-    end
-  end
-  describe "#+" do
-    it "can add to another scope object" do
-      scopes = described_class.from_string("public") + described_class.from_string("admin")
-      expect(scopes.all).to eq(%w[public admin])
-    end
-    it "does not change the existing object" do
-      origin = described_class.from_string("public")
-      expect(origin.to_s).to eq("public")
-    end
-    it "can add an array to a scope object" do
-      scopes = described_class.from_string("public") + ["admin"]
-      expect(scopes.all).to eq(%w[public admin])
-    end
-    it "raises an error if cannot handle addition" do
-      expect do
-        described_class.from_string("public") + "admin"
-      end.to raise_error(NoMethodError)
-    end
-  end
-  describe "#&" do
-    it "can get intersection with another scope object" do
-      scopes = described_class.from_string("public admin") & described_class.from_string("write admin")
-      expect(scopes.all).to eq(%w[admin])
-    end
-    it "does not change the existing object" do
-      origin = described_class.from_string("public admin")
-      origin & described_class.from_string("write admin")
-      expect(origin.to_s).to eq("public admin")
-    end
-    it "can get intersection with an array" do
-      scopes = described_class.from_string("public admin") & %w[write admin]
-      expect(scopes.all).to eq(%w[admin])
-    end
-  end
-  describe "#==" do
-    it "is equal to another set of scopes" do
-      expect(described_class.from_string("public")).to eq(described_class.from_string("public"))
-    end
-    it "is equal to another set of scopes with no particular order" do
-      expect(described_class.from_string("public write")).to eq(described_class.from_string("write public"))
-    end
-    it "differs from another set of scopes when scopes are not the same" do
-      expect(described_class.from_string("public write")).not_to eq(described_class.from_string("write"))
-    end
-    it "does not raise an error when compared to a non-enumerable object" do
-      expect { described_class.from_string("public") == false }.not_to raise_error
-    end
-  end
-  describe "#has_scopes?" do
-    subject { described_class.from_string("public admin") }
-    it "returns true when at least one scope is included" do
-      expect(subject).to have_scopes(described_class.from_string("public"))
-    end
-    it "returns true when all scopes are included" do
-      expect(subject).to have_scopes(described_class.from_string("public admin"))
-    end
-    it "is true if all scopes are included in any order" do
-      expect(subject).to have_scopes(described_class.from_string("admin public"))
-    end
-    it "is false if no scopes are included" do
-      expect(subject).not_to have_scopes(described_class.from_string("notexistent"))
-    end
-    it "returns false when any scope is not included" do
-      expect(subject).not_to have_scopes(described_class.from_string("public nope"))
-    end
-    it "is false if no scopes are included even for existing ones" do
-      expect(subject).not_to have_scopes(described_class.from_string("public admin notexistent"))
-    end
-  end
-end

data/spec/lib/oauth/token_request_spec.rb DELETED Viewed

@@ -1,164 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe Doorkeeper::OAuth::TokenRequest do
-  subject do
-    described_class.new(pre_auth, owner)
-  end
-  let :application do
-    FactoryBot.create(:application, scopes: "public")
-  end
-  let :pre_auth do
-    server = Doorkeeper.config
-    allow(server).to receive(:default_scopes).and_return(Doorkeeper::OAuth::Scopes.from_string("public"))
-    allow(server).to receive(:grant_flows).and_return(Doorkeeper::OAuth::Scopes.from_string("implicit"))
-    client = Doorkeeper::OAuth::Client.new(application)
-    attributes = {
-      client_id: client.uid,
-      response_type: "token",
-      redirect_uri: "https://app.com/callback",
-    }
-    pre_auth = Doorkeeper::OAuth::PreAuthorization.new(server, attributes)
-    pre_auth.authorizable?
-    pre_auth
-  end
-  let :owner do
-    FactoryBot.create(:doorkeeper_testing_user)
-  end
-  it "creates an access token" do
-    expect do
-      subject.authorize
-    end.to change { Doorkeeper::AccessToken.count }.by(1)
-  end
-  it "returns a code response" do
-    expect(subject.authorize).to be_a(Doorkeeper::OAuth::CodeResponse)
-  end
-  context "when pre_auth is denied" do
-    it "does not create token and returns a error response" do
-      expect { subject.deny }.not_to(change { Doorkeeper::AccessToken.count })
-      expect(subject.deny).to be_a(Doorkeeper::OAuth::ErrorResponse)
-    end
-  end
-  describe "with custom expiration" do
-    context "when proper TTL returned" do
-      before do
-        Doorkeeper.configure do
-          orm DOORKEEPER_ORM
-          custom_access_token_expires_in do |context|
-            context.grant_type == Doorkeeper::OAuth::IMPLICIT ? 1234 : nil
-          end
-        end
-      end
-      it "uses the custom ttl" do
-        subject.authorize
-        token = Doorkeeper::AccessToken.first
-        expect(token.expires_in).to eq(1234)
-      end
-    end
-    context "when nil TTL returned" do
-      before do
-        Doorkeeper.configure do
-          orm DOORKEEPER_ORM
-          access_token_expires_in 654
-          custom_access_token_expires_in do |_context|
-            nil
-          end
-        end
-      end
-      it "fallbacks to access_token_expires_in" do
-        subject.authorize
-        token = Doorkeeper::AccessToken.first
-        expect(token.expires_in).to eq(654)
-      end
-    end
-    context "when infinite TTL returned" do
-      before do
-        Doorkeeper.configure do
-          orm DOORKEEPER_ORM
-          access_token_expires_in 654
-          custom_access_token_expires_in do |_context|
-            Float::INFINITY
-          end
-        end
-      end
-      it "fallbacks to access_token_expires_in" do
-        subject.authorize
-        token = Doorkeeper::AccessToken.first
-        expect(token.expires_in).to be_nil
-      end
-    end
-  end
-  context "when reuse_access_token enabled" do
-    it "creates a new token if there are no matching tokens" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-      expect do
-        subject.authorize
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-    end
-    it "creates a new token if scopes do not match" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-      FactoryBot.create(
-        :access_token,
-        application_id: pre_auth.client.id,
-        resource_owner_id: owner.id,
-        resource_owner_type: owner.class.name,
-        scopes: "",
-      )
-      expect do
-        subject.authorize
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-    end
-    it "skips token creation if there is a matching one reusable" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-      allow(application.scopes).to receive(:has_scopes?).and_return(true)
-      allow(application.scopes).to receive(:all?).and_return(true)
-      FactoryBot.create(
-        :access_token, application_id: pre_auth.client.id,
-                       resource_owner_id: owner.id, resource_owner_type: owner.class.name, scopes: "public",
-      )
-      expect { subject.authorize }.not_to(change { Doorkeeper::AccessToken.count })
-    end
-    it "creates new token if there is a matching one but non reusable" do
-      allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-      allow(application.scopes).to receive(:has_scopes?).and_return(true)
-      allow(application.scopes).to receive(:all?).and_return(true)
-      FactoryBot.create(
-        :access_token,
-        application_id: pre_auth.client.id,
-        resource_owner_id: owner.id,
-        resource_owner_type: owner.class.name,
-        scopes: "public",
-      )
-      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:reusable?).and_return(false)
-      expect do
-        subject.authorize
-      end.to change { Doorkeeper::AccessToken.count }.by(1)
-    end
-  end
-end