RubyGems - doorkeeper-mongodb - Versions diffs - 5.3.0 → 5.5.0 - Mend

doorkeeper-mongodb 5.3.0 → 5.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

data/spec/requests/flows/password_spec.rb DELETED Viewed

@@ -1,356 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "Resource Owner Password Credentials Flow" do
-  context "when not setup properly" do
-    before do
-      client_exists
-      create_resource_owner
-    end
-    context "with valid user credentials" do
-      it "does not issue new token" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-    end
-  end
-  context "when grant type configured" do
-    let(:client_attributes) { { redirect_uri: nil } }
-    before do
-      config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
-      client_exists(client_attributes)
-      create_resource_owner
-    end
-    context "with valid user credentials" do
-      context "with confidential client authorized using Basic auth" do
-        it "issues a new token" do
-          expect do
-            post password_token_endpoint_url(
-              resource_owner: @resource_owner,
-            ), headers: { "HTTP_AUTHORIZATION" => basic_auth_header_for_client(@client) }
-          end.to(change { Doorkeeper::AccessToken.count })
-          token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq(@client.id)
-          expect(json_response).to match(
-            "access_token" => token.token,
-            "expires_in" => an_instance_of(Integer),
-            "token_type" => "Bearer",
-            "created_at" => an_instance_of(Integer),
-          )
-        end
-      end
-      context "with non-confidential/public client" do
-        let(:client_attributes) { { confidential: false } }
-        context "when configured to check application supported grant flow" do
-          before do
-            Doorkeeper.configuration.instance_variable_set(
-              :@allow_grant_flow_for_client,
-              ->(_grant_flow, client) { client.name == "admin" },
-            )
-          end
-          scenario "forbids the request when doesn't satisfy condition" do
-            @client.update(name: "sample app")
-            expect do
-              post password_token_endpoint_url(
-                client_id: @client.uid,
-                client_secret: "foobar",
-                resource_owner: @resource_owner,
-              )
-            end.not_to(change { Doorkeeper::AccessToken.count })
-            expect(response.status).to eq(401)
-            expect(json_response).to match(
-              "error" => "invalid_client",
-              "error_description" => an_instance_of(String),
-            )
-          end
-          scenario "allows the request when satisfies condition" do
-            @client.update(name: "admin")
-            expect do
-              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-            end.to change { Doorkeeper::AccessToken.count }.by(1)
-            token = Doorkeeper::AccessToken.first
-            expect(token.application_id).to eq(@client.id)
-            expect(json_response).to include("access_token" => token.token)
-          end
-        end
-        context "when client_secret absent" do
-          it "issues a new token" do
-            expect do
-              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-            end.to change { Doorkeeper::AccessToken.count }.by(1)
-            token = Doorkeeper::AccessToken.first
-            expect(token.application_id).to eq(@client.id)
-            expect(json_response).to include("access_token" => token.token)
-          end
-        end
-        context "when client_secret present" do
-          it "issues a new token" do
-            expect do
-              post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-            end.to change { Doorkeeper::AccessToken.count }.by(1)
-            token = Doorkeeper::AccessToken.first
-            expect(token.application_id).to eq(@client.id)
-            expect(json_response).to include("access_token" => token.token)
-          end
-          context "when client_secret incorrect" do
-            it "doesn't issue new token" do
-              expect do
-                post password_token_endpoint_url(
-                  client_id: @client.uid,
-                  client_secret: "foobar",
-                  resource_owner: @resource_owner,
-                )
-              end.not_to(change { Doorkeeper::AccessToken.count })
-              expect(response.status).to eq(401)
-              expect(json_response).to include(
-                "error" => "invalid_client",
-                "error_description" => an_instance_of(String),
-              )
-            end
-          end
-        end
-      end
-      context "with confidential/private client" do
-        it "issues a new token" do
-          expect do
-            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-          token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq(@client.id)
-          expect(json_response).to include("access_token" => token.token)
-        end
-        context "when client_secret absent" do
-          it "doesn't issue new token" do
-            expect do
-              post password_token_endpoint_url(client_id: @client.uid, resource_owner: @resource_owner)
-            end.not_to(change { Doorkeeper::AccessToken.count })
-            expect(response.status).to eq(401)
-            expect(json_response).to match(
-              "error" => "invalid_client",
-              "error_description" => an_instance_of(String),
-            )
-          end
-        end
-      end
-      it "issues new token without client credentials" do
-        expect do
-          post password_token_endpoint_url(resource_owner: @resource_owner)
-        end.to(change { Doorkeeper::AccessToken.count }.by(1))
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to be_nil
-        expect(json_response).to include("access_token" => token.token)
-      end
-      it "issues a refresh token if enabled" do
-        config_is_set(:refresh_token_enabled, true)
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        token = Doorkeeper::AccessToken.first
-        expect(json_response).to include("refresh_token" => token.refresh_token)
-      end
-      it "returns the same token if it is still accessible" do
-        allow(Doorkeeper.configuration).to receive(:reuse_access_token).and_return(true)
-        client_is_authorized(@client, @resource_owner)
-        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        expect(Doorkeeper::AccessToken.count).to be(1)
-        expect(json_response).to include("access_token" => Doorkeeper::AccessToken.first.token)
-      end
-      context "with valid, default scope" do
-        before do
-          default_scopes_exist :public
-        end
-        it "issues new token" do
-          expect do
-            post password_token_endpoint_url(client: @client, resource_owner: @resource_owner, scope: "public")
-          end.to change { Doorkeeper::AccessToken.count }.by(1)
-          token = Doorkeeper::AccessToken.first
-          expect(token.application_id).to eq(@client.id)
-          expect(json_response).to include(
-            "access_token" => token.token,
-            "scope" => "public",
-          )
-        end
-      end
-    end
-    context "when application scopes are present and differs from configured default scopes and no scope is passed" do
-      before do
-        default_scopes_exist :public
-        @client.update(scopes: "abc")
-      end
-      it "issues new token without any scope" do
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq(@client.id)
-        expect(token.scopes).to be_empty
-        expect(json_response).to include("access_token" => token.token)
-        expect(json_response).not_to include("scope")
-      end
-    end
-    context "when application scopes contain some of the default scopes and no scope is passed" do
-      before do
-        @client.update(scopes: "read write public")
-      end
-      it "issues new token with one default scope that are present in application scopes" do
-        default_scopes_exist :public, :admin
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq(@client.id)
-        expect(json_response).to include(
-          "access_token" => token.token,
-          "scope" => "public",
-        )
-      end
-      it "issues new token with multiple default scopes that are present in application scopes" do
-        default_scopes_exist :public, :read, :update
-        expect do
-          post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
-        end.to change { Doorkeeper::AccessToken.count }.by(1)
-        token = Doorkeeper::AccessToken.first
-        expect(token.application_id).to eq(@client.id)
-        expect(json_response).to include(
-          "access_token" => token.token,
-          "scope" => "public read",
-        )
-      end
-    end
-    context "with invalid scopes" do
-      subject do
-        post password_token_endpoint_url(
-          client: @client,
-          resource_owner: @resource_owner,
-          scope: "random",
-        )
-      end
-      it "doesn't issue new token" do
-        expect { subject }.not_to(change { Doorkeeper::AccessToken.count })
-      end
-      it "returns invalid_scope error" do
-        subject
-        expect(json_response).to include(
-          "error" => "invalid_scope",
-          "error_description" => translated_error_message(:invalid_scope),
-        )
-        expect(json_response).not_to include("access_token")
-        expect(response.status).to eq(400)
-      end
-    end
-    context "with invalid user credentials" do
-      it "doesn't issue new token with bad password" do
-        expect do
-          post password_token_endpoint_url(
-            client: @client,
-            resource_owner_username: @resource_owner.name,
-            resource_owner_password: "wrongpassword",
-          )
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-      it "doesn't issue new token without credentials" do
-        expect do
-          post password_token_endpoint_url(client: @client)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-      it "doesn't issue new token if resource_owner_from_credentials returned false or nil" do
-        config_is_set(:resource_owner_from_credentials) { false }
-        expect do
-          post password_token_endpoint_url(client: @client)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-        config_is_set(:resource_owner_from_credentials) { nil }
-        expect do
-          post password_token_endpoint_url(client: @client)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-    end
-    context "with invalid confidential client credentials" do
-      it "doesn't issue new token with bad client credentials" do
-        expect do
-          post password_token_endpoint_url(
-            client_id: @client.uid,
-            client_secret: "bad_secret",
-            resource_owner: @resource_owner,
-          )
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-    end
-    context "with invalid public client id" do
-      it "doesn't issue new token with bad client id" do
-        expect do
-          post password_token_endpoint_url(client_id: "bad_id", resource_owner: @resource_owner)
-        end.not_to(change { Doorkeeper::AccessToken.count })
-      end
-    end
-  end
-end

data/spec/requests/flows/refresh_token_spec.rb DELETED Viewed

@@ -1,255 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "Refresh Token Flow" do
-  before do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-      use_refresh_token
-    end
-    client_exists
-  end
-  let(:resource_owner) { FactoryBot.create(:resource_owner) }
-  describe "issuing a refresh token" do
-    before do
-      authorization_code_exists application: @client,
-                                resource_owner_id: resource_owner.id,
-                                resource_owner_type: resource_owner.class.name
-    end
-    it "client gets the refresh token and refreshes it" do
-      post token_endpoint_url(code: @authorization.token, client: @client)
-      token = Doorkeeper::AccessToken.first
-      expect(json_response).to include(
-        "access_token" => token.token,
-        "refresh_token" => token.refresh_token,
-      )
-      expect(@authorization.reload).to be_revoked
-      post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
-      new_token = Doorkeeper::AccessToken.last
-      expect(json_response).to include(
-        "access_token" => new_token.token,
-        "refresh_token" => new_token.refresh_token,
-      )
-      expect(token.token).not_to eq(new_token.token)
-      expect(token.refresh_token).not_to eq(new_token.refresh_token)
-    end
-  end
-  describe "refreshing the token" do
-    before do
-      @token = FactoryBot.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: resource_owner.id,
-        resource_owner_type: resource_owner.class.name,
-        use_refresh_token: true,
-      )
-    end
-    context "when refresh_token revoked on use" do
-      it "client requests a token with refresh token" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include(
-          "refresh_token" => Doorkeeper::AccessToken.last.refresh_token,
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-      it "client requests a token with expired access token" do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include(
-          "refresh_token" => Doorkeeper::AccessToken.last.refresh_token,
-        )
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-    context "when refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-      it "client request a token with refresh token" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include(
-          "refresh_token" => Doorkeeper::AccessToken.last.refresh_token,
-        )
-        expect(@token.reload).to be_revoked
-      end
-      it "client request a token with expired access token" do
-        @token.update_attribute :expires_in, -100
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include(
-          "refresh_token" => Doorkeeper::AccessToken.last.refresh_token,
-        )
-        expect(@token.reload).to be_revoked
-      end
-    end
-    context "with public & private clients" do
-      let(:public_client) do
-        FactoryBot.create(
-          :application,
-          confidential: false,
-        )
-      end
-      let(:token_for_private_client) do
-        FactoryBot.create(
-          :access_token,
-          application: @client,
-          resource_owner_id: resource_owner.id,
-          resource_owner_type: resource_owner.class.name,
-          use_refresh_token: true,
-        )
-      end
-      let(:token_for_public_client) do
-        FactoryBot.create(
-          :access_token,
-          application: public_client,
-          resource_owner_id: resource_owner.id,
-          resource_owner_type: resource_owner.class.name,
-          use_refresh_token: true,
-        )
-      end
-      it "issues a new token without client_secret when refresh token was issued to a public client" do
-        post refresh_token_endpoint_url(
-          client_id: public_client.uid,
-          refresh_token: token_for_public_client.refresh_token,
-        )
-        new_token = Doorkeeper::AccessToken.last
-        expect(json_response).to include(
-          "access_token" => new_token.token,
-          "refresh_token" => new_token.refresh_token,
-        )
-      end
-      it "returns an error without credentials" do
-        post refresh_token_endpoint_url(refresh_token: token_for_private_client.refresh_token)
-        expect(json_response).to include("error" => "invalid_grant")
-      end
-      it "returns an error with wrong credentials" do
-        post refresh_token_endpoint_url(
-          client_id: "1",
-          client_secret: "1",
-          refresh_token: token_for_private_client.refresh_token,
-        )
-        expect(json_response).to match(
-          "error" => "invalid_client",
-          "error_description" => an_instance_of(String),
-        )
-      end
-    end
-    it "client gets an error for invalid refresh token" do
-      post refresh_token_endpoint_url(client: @client, refresh_token: "invalid")
-      expect(json_response).to match(
-        "error" => "invalid_grant",
-        "error_description" => an_instance_of(String),
-      )
-    end
-    it "client gets an error for revoked access token" do
-      @token.revoke
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      expect(json_response).to match(
-        "error" => "invalid_grant",
-        "error_description" => an_instance_of(String),
-      )
-    end
-    it "second of simultaneous client requests get an error for revoked access token" do
-      allow_any_instance_of(Doorkeeper::AccessToken).to receive(:revoked?).and_return(false, true)
-      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
-      expect(json_response).to match(
-        "error" => "invalid_grant",
-        "error_description" => an_instance_of(String),
-      )
-    end
-  end
-  context "when refreshing the token with multiple sessions (devices)" do
-    before do
-      # enable password auth to simulate other devices
-      config_is_set(:grant_flows, ["password"])
-      config_is_set(:resource_owner_from_credentials) do
-        User.authenticate! params[:username], params[:password]
-      end
-      create_resource_owner
-      _another_token = post password_token_endpoint_url(
-        client: @client, resource_owner: resource_owner,
-      )
-      last_token.update(created_at: 5.seconds.ago)
-      @token = FactoryBot.create(
-        :access_token,
-        application: @client,
-        resource_owner_id: resource_owner.id,
-        resource_owner_type: resource_owner.class.name,
-        use_refresh_token: true,
-      )
-      @token.update_attribute :expires_in, -100
-    end
-    context "when refresh_token revoked on use" do
-      it "client request a token after creating another token with the same user" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include("refresh_token" => last_token.refresh_token)
-        expect(@token.reload).not_to be_revoked
-      end
-    end
-    context "when refresh_token revoked on refresh_token request" do
-      before do
-        allow(Doorkeeper::AccessToken).to receive(:refresh_token_revoked_on_use?).and_return(false)
-      end
-      it "client request a token after creating another token with the same user" do
-        post refresh_token_endpoint_url(
-          client: @client, refresh_token: @token.refresh_token,
-        )
-        expect(json_response).to include("refresh_token" => last_token.refresh_token)
-        expect(@token.reload).to be_revoked
-      end
-    end
-    def last_token
-      Doorkeeper::AccessToken.last_authorized_token_for(
-        @client.id, resource_owner,
-      )
-    end
-  end
-end