RubyGems - doorkeeper-mongodb - Versions diffs - 5.3.0 → 5.5.0 - Mend

doorkeeper-mongodb 5.3.0 → 5.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (192) hide show

data/spec/requests/flows/revoke_token_spec.rb DELETED Viewed

@@ -1,196 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "Revoke Token Flow" do
-  before do
-    Doorkeeper.configure { orm DOORKEEPER_ORM }
-  end
-  let(:private_client_application) { FactoryBot.create :application }
-  let(:public_client_application) { FactoryBot.create :application, confidential: false }
-  let(:resource_owner) { User.create!(name: "John", password: "sekret") }
-  context "with authenticated, confidential OAuth 2.0 client/application" do
-    let(:access_token) do
-      FactoryBot.create(
-        :access_token,
-        application: private_client_application,
-        resource_owner_id: resource_owner.id,
-        resource_owner_type: resource_owner.class.name,
-        use_refresh_token: true,
-      )
-    end
-    let(:headers) do
-      client_id = private_client_application.uid
-      client_secret = private_client_application.secret
-      credentials = Base64.encode64("#{client_id}:#{client_secret}")
-      { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-    end
-    it "revokes the access token provided" do
-      post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-      expect(response).to be_successful
-      expect(access_token.reload).to be_revoked
-    end
-    it "revokes the refresh token provided" do
-      post revocation_token_endpoint_url, params: { token: access_token.refresh_token }, headers: headers
-      expect(response).to be_successful
-      expect(access_token.reload).to be_revoked
-    end
-    context "with invalid token to revoke" do
-      it "does not revoke any tokens and must respond with success" do
-        expect do
-          post revocation_token_endpoint_url,
-               params: { token: "I_AM_AN_INVALID_TOKEN" },
-               headers: headers
-        end.not_to(change { Doorkeeper::AccessToken.where(revoked_at: nil).count })
-        expect(response).to be_successful
-      end
-    end
-    context "with bad credentials and a valid token" do
-      let(:headers) do
-        client_id = private_client_application.uid
-        credentials = Base64.encode64("#{client_id}:poop")
-        { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-      end
-      it "does not revoke any tokens and respond with forbidden" do
-        post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-        expect(response).to be_forbidden
-        expect(response.body).to include("unauthorized_client")
-        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-        expect(access_token.reload).not_to be_revoked
-      end
-    end
-    context "with no credentials and a valid token" do
-      it "does not revoke any tokens and respond with forbidden" do
-        post revocation_token_endpoint_url, params: { token: access_token.token }
-        expect(response).to be_forbidden
-        expect(response.body).to include("unauthorized_client")
-        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-        expect(access_token.reload).not_to be_revoked
-      end
-    end
-    context "with valid token for another client application" do
-      let(:other_client_application) { FactoryBot.create :application }
-      let(:headers) do
-        client_id = other_client_application.uid
-        client_secret = other_client_application.secret
-        credentials = Base64.encode64("#{client_id}:#{client_secret}")
-        { "HTTP_AUTHORIZATION" => "Basic #{credentials}" }
-      end
-      it "does not revoke the token as it's unauthorized" do
-        post revocation_token_endpoint_url, params: { token: access_token.token }, headers: headers
-        expect(response).to be_forbidden
-        expect(response.body).to include("unauthorized_client")
-        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-        expect(access_token.reload).not_to be_revoked
-      end
-    end
-  end
-  context "with authenticated public OAuth 2.0 client/application" do
-    let(:access_token) do
-      FactoryBot.create(
-        :access_token,
-        application: nil,
-        resource_owner_id: resource_owner.id,
-        resource_owner_type: resource_owner.class.name,
-        use_refresh_token: true,
-      )
-    end
-    it "revokes the access token provided" do
-      post revocation_token_endpoint_url,
-           params: { client_id: public_client_application.uid, token: access_token.token },
-           headers: headers
-      expect(response).to be_successful
-      expect(access_token.reload).to be_revoked
-    end
-    it "revokes the refresh token provided" do
-      post revocation_token_endpoint_url,
-           params: { client_id: public_client_application.uid, token: access_token.refresh_token },
-           headers: headers
-      expect(response).to be_successful
-      expect(access_token.reload).to be_revoked
-    end
-    it "responses with success even for invalid token" do
-      post revocation_token_endpoint_url,
-           params: { client_id: public_client_application.uid, token: "dont_exist" },
-           headers: headers
-      expect(response).to be_successful
-    end
-    context "with a valid token issued for a confidential client" do
-      let(:access_token) do
-        FactoryBot.create(
-          :access_token,
-          application: private_client_application,
-          resource_owner_id: resource_owner.id,
-          resource_owner_type: resource_owner.class.name,
-          use_refresh_token: true,
-        )
-      end
-      it "does not revoke the access token provided" do
-        post revocation_token_endpoint_url,
-             params: { client_id: public_client_application.uid, token: access_token.token }
-        expect(response).to be_forbidden
-        expect(response.body).to include("unauthorized_client")
-        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-        expect(access_token.reload).not_to be_revoked
-      end
-      it "does not revoke the refresh token provided" do
-        post revocation_token_endpoint_url,
-             params: { client_id: public_client_application.uid, token: access_token.refresh_token }
-        expect(response).to be_forbidden
-        expect(response.body).to include("unauthorized_client")
-        expect(response.body).to include(I18n.t("doorkeeper.errors.messages.revoke.unauthorized"))
-        expect(access_token.reload).not_to be_revoked
-      end
-    end
-  end
-  context "without client authentication" do
-    let(:access_token) do
-      FactoryBot.create(
-        :access_token,
-        application: nil,
-        resource_owner_id: resource_owner.id,
-        resource_owner_type: resource_owner.class.name,
-        use_refresh_token: true,
-      )
-    end
-    it "does not remove the token and responses with an error" do
-      post revocation_token_endpoint_url,
-           params: { token: access_token.token },
-           headers: headers
-      expect(response).not_to be_successful
-      expect(access_token.reload).not_to be_revoked
-    end
-  end
-end

data/spec/requests/flows/skip_authorization_spec.rb DELETED Viewed

@@ -1,66 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-feature "Skip authorization form" do
-  background do
-    config_is_set(:authenticate_resource_owner) { User.first || redirect_to("/sign_in") }
-    client_exists
-    default_scopes_exist  :public
-    optional_scopes_exist :write
-  end
-  context "with previously authorized clients" do
-    background do
-      create_resource_owner
-      sign_in
-    end
-    scenario "skips the authorization and return a new grant code" do
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      i_should_not_see "Authorize"
-      client_should_be_authorized @client
-      i_should_be_on_client_callback @client
-      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
-    end
-    scenario "skips the authorization if other scopes are not requested" do
-      client_exists scopes: "public read write"
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      i_should_not_see "Authorize"
-      client_should_be_authorized @client
-      i_should_be_on_client_callback @client
-      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
-    end
-    scenario "does not skip authorization when scopes differ (new request has fewer scopes)" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      i_should_see "Authorize"
-    end
-    scenario "does not skip authorization when scopes differ (new request has more scopes)" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scopes: "public write email")
-      i_should_see "Authorize"
-    end
-    scenario "creates grant with new scope when scopes differ" do
-      client_is_authorized(@client, @resource_owner, scopes: "public write")
-      visit authorization_endpoint_url(client: @client, scope: "public")
-      click_on "Authorize"
-      access_grant_should_have_scopes :public
-    end
-    scenario "creates grant with new scope when scopes are greater" do
-      client_is_authorized(@client, @resource_owner, scopes: "public")
-      visit authorization_endpoint_url(client: @client, scope: "public write")
-      click_on "Authorize"
-      access_grant_should_have_scopes :public, :write
-    end
-  end
-end

data/spec/requests/protected_resources/metal_spec.rb DELETED Viewed

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "ActionController::Metal API" do
-  before do
-    @client   = FactoryBot.create(:application)
-    @resource = User.create!(name: "Joe", password: "sekret")
-    @token    = client_is_authorized(@client, @resource)
-  end
-  it "client requests protected resource with valid token" do
-    get "/metal.json?access_token=#{@token.token}"
-    expect(json_response).to include("ok" => true)
-  end
-end

data/spec/requests/protected_resources/private_api_spec.rb DELETED Viewed

@@ -1,83 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-feature "Private API" do
-  background do
-    @client   = FactoryBot.create(:application)
-    @resource = User.create!(name: "Joe", password: "sekret")
-    @token    = client_is_authorized(@client, @resource)
-  end
-  scenario "client requests protected resource with valid token" do
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    expect(page.body).to have_content("index")
-  end
-  scenario "client requests protected resource with disabled header authentication" do
-    config_is_set :access_token_methods, [:from_access_token_param]
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    response_status_should_be 401
-  end
-  scenario "client attempts to request protected resource with invalid token" do
-    with_access_token_header "invalid"
-    visit "/full_protected_resources"
-    response_status_should_be 401
-  end
-  scenario "client attempts to request protected resource with expired token" do
-    @token.update_attribute :expires_in, -100 # expires token
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    response_status_should_be 401
-  end
-  scenario "client requests protected resource with permanent token" do
-    @token.update_attribute :expires_in, nil # never expires
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    expect(page.body).to have_content("index")
-  end
-  scenario "access token with no default scopes" do
-    Doorkeeper.configuration.instance_eval do
-      @default_scopes = Doorkeeper::OAuth::Scopes.from_array([:public])
-      @scopes = default_scopes + optional_scopes
-    end
-    @token.update_attribute :scopes, "dummy"
-    with_access_token_header @token.token
-    visit "/full_protected_resources"
-    response_status_should_be 403
-  end
-  scenario "access token with no allowed scopes" do
-    @token.update_attribute :scopes, nil
-    with_access_token_header @token.token
-    visit "/full_protected_resources/1.json"
-    response_status_should_be 403
-  end
-  scenario "access token with one of allowed scopes" do
-    @token.update_attribute :scopes, "admin"
-    with_access_token_header @token.token
-    visit "/full_protected_resources/1.json"
-    expect(page.body).to have_content("show")
-  end
-  scenario "access token with another of allowed scopes" do
-    @token.update_attribute :scopes, "write"
-    with_access_token_header @token.token
-    visit "/full_protected_resources/1.json"
-    expect(page.body).to have_content("show")
-  end
-  scenario "access token with both allowed scopes" do
-    @token.update_attribute :scopes, "write admin"
-    with_access_token_header @token.token
-    visit "/full_protected_resources/1.json"
-    expect(page.body).to have_content("show")
-  end
-end

data/spec/routing/custom_controller_routes_spec.rb DELETED Viewed

@@ -1,133 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "Custom controller for routes" do
-  before :all do
-    Doorkeeper.configure do
-      orm DOORKEEPER_ORM
-    end
-    Rails.application.routes.disable_clear_and_finalize = true
-    Rails.application.routes.draw do
-      scope "inner_space" do
-        use_doorkeeper scope: "scope" do
-          controllers authorizations: "custom_authorizations",
-                      tokens: "custom_authorizations",
-                      applications: "custom_authorizations",
-                      token_info: "custom_authorizations"
-          as authorizations: "custom_auth",
-             tokens: "custom_token",
-             token_info: "custom_token_info"
-        end
-      end
-      scope "space" do
-        use_doorkeeper do
-          controllers authorizations: "custom_authorizations",
-                      tokens: "custom_authorizations",
-                      applications: "custom_authorizations",
-                      token_info: "custom_authorizations"
-          as authorizations: "custom_auth",
-             tokens: "custom_token",
-             token_info: "custom_token_info"
-        end
-      end
-      scope "outer_space" do
-        use_doorkeeper do
-          controllers authorizations: "custom_authorizations",
-                      tokens: "custom_authorizations",
-                      token_info: "custom_authorizations"
-          as authorizations: "custom_auth",
-             tokens: "custom_token",
-             token_info: "custom_token_info"
-          skip_controllers :tokens, :applications, :token_info
-        end
-      end
-    end
-  end
-  after :all do
-    Rails.application.routes.clear!
-    load File.expand_path("../dummy/config/routes.rb", __dir__)
-  end
-  it "GET /inner_space/scope/authorize routes to custom authorizations controller" do
-    expect(get("/inner_space/scope/authorize")).to route_to("custom_authorizations#new")
-  end
-  it "POST /inner_space/scope/authorize routes to custom authorizations controller" do
-    expect(post("/inner_space/scope/authorize")).to route_to("custom_authorizations#create")
-  end
-  it "DELETE /inner_space/scope/authorize routes to custom authorizations controller" do
-    expect(delete("/inner_space/scope/authorize")).to route_to("custom_authorizations#destroy")
-  end
-  it "POST /inner_space/scope/token routes to tokens controller" do
-    expect(post("/inner_space/scope/token")).to route_to("custom_authorizations#create")
-  end
-  it "GET /inner_space/scope/applications routes to applications controller" do
-    expect(get("/inner_space/scope/applications")).to route_to("custom_authorizations#index")
-  end
-  it "GET /inner_space/scope/token/info routes to the token_info controller" do
-    expect(get("/inner_space/scope/token/info")).to route_to("custom_authorizations#show")
-  end
-  it "GET /space/oauth/authorize routes to custom authorizations controller" do
-    expect(get("/space/oauth/authorize")).to route_to("custom_authorizations#new")
-  end
-  it "POST /space/oauth/authorize routes to custom authorizations controller" do
-    expect(post("/space/oauth/authorize")).to route_to("custom_authorizations#create")
-  end
-  it "DELETE /space/oauth/authorize routes to custom authorizations controller" do
-    expect(delete("/space/oauth/authorize")).to route_to("custom_authorizations#destroy")
-  end
-  it "POST /space/oauth/token routes to tokens controller" do
-    expect(post("/space/oauth/token")).to route_to("custom_authorizations#create")
-  end
-  it "POST /space/oauth/revoke routes to tokens controller" do
-    expect(post("/space/oauth/revoke")).to route_to("custom_authorizations#revoke")
-  end
-  it "POST /space/oauth/introspect routes to tokens controller" do
-    expect(post("/space/oauth/introspect")).to route_to("custom_authorizations#introspect")
-  end
-  it "GET /space/oauth/applications routes to applications controller" do
-    expect(get("/space/oauth/applications")).to route_to("custom_authorizations#index")
-  end
-  it "GET /space/oauth/token/info routes to the token_info controller" do
-    expect(get("/space/oauth/token/info")).to route_to("custom_authorizations#show")
-  end
-  it "POST /outer_space/oauth/token is not be routable" do
-    expect(post("/outer_space/oauth/token")).not_to be_routable
-  end
-  it "GET /outer_space/oauth/authorize routes to custom authorizations controller" do
-    expect(get("/outer_space/oauth/authorize")).to be_routable
-  end
-  it "GET /outer_space/oauth/applications is not routable" do
-    expect(get("/outer_space/oauth/applications")).not_to be_routable
-  end
-  it "GET /outer_space/oauth/token_info is not routable" do
-    expect(get("/outer_space/oauth/token/info")).not_to be_routable
-  end
-end

data/spec/routing/default_routes_spec.rb DELETED Viewed

@@ -1,41 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "Default routes" do
-  it "GET /oauth/authorize routes to authorizations controller" do
-    expect(get("/oauth/authorize")).to route_to("doorkeeper/authorizations#new")
-  end
-  it "POST /oauth/authorize routes to authorizations controller" do
-    expect(post("/oauth/authorize")).to route_to("doorkeeper/authorizations#create")
-  end
-  it "DELETE /oauth/authorize routes to authorizations controller" do
-    expect(delete("/oauth/authorize")).to route_to("doorkeeper/authorizations#destroy")
-  end
-  it "POST /oauth/token routes to tokens controller" do
-    expect(post("/oauth/token")).to route_to("doorkeeper/tokens#create")
-  end
-  it "POST /oauth/revoke routes to tokens controller" do
-    expect(post("/oauth/revoke")).to route_to("doorkeeper/tokens#revoke")
-  end
-  it "POST /oauth/introspect routes to tokens controller" do
-    expect(post("/oauth/introspect")).to route_to("doorkeeper/tokens#introspect")
-  end
-  it "GET /oauth/applications routes to applications controller" do
-    expect(get("/oauth/applications")).to route_to("doorkeeper/applications#index")
-  end
-  it "GET /oauth/authorized_applications routes to authorized applications controller" do
-    expect(get("/oauth/authorized_applications")).to route_to("doorkeeper/authorized_applications#index")
-  end
-  it "GET /oauth/token/info route to authorized TokenInfo controller" do
-    expect(get("/oauth/token/info")).to route_to("doorkeeper/token_info#show")
-  end
-end

data/spec/routing/scoped_routes_spec.rb DELETED Viewed

@@ -1,47 +0,0 @@
-# frozen_string_literal: true
-require "spec_helper"
-RSpec.describe "Scoped routes" do
-  before :all do
-    Rails.application.routes.disable_clear_and_finalize = true
-    Rails.application.routes.draw do
-      use_doorkeeper scope: "scope"
-    end
-  end
-  after :all do
-    Rails.application.routes.clear!
-    load File.expand_path("../dummy/config/routes.rb", __dir__)
-  end
-  it "GET /scope/authorize routes to authorizations controller" do
-    expect(get("/scope/authorize")).to route_to("doorkeeper/authorizations#new")
-  end
-  it "POST /scope/authorize routes to authorizations controller" do
-    expect(post("/scope/authorize")).to route_to("doorkeeper/authorizations#create")
-  end
-  it "DELETE /scope/authorize routes to authorizations controller" do
-    expect(delete("/scope/authorize")).to route_to("doorkeeper/authorizations#destroy")
-  end
-  it "POST /scope/token routes to tokens controller" do
-    expect(post("/scope/token")).to route_to("doorkeeper/tokens#create")
-  end
-  it "GET /scope/applications routes to applications controller" do
-    expect(get("/scope/applications")).to route_to("doorkeeper/applications#index")
-  end
-  it "GET /scope/authorized_applications routes to authorized applications controller" do
-    expect(get("/scope/authorized_applications")).to route_to("doorkeeper/authorized_applications#index")
-  end
-  it "GET /scope/token/info route to authorized TokenInfo controller" do
-    expect(get("/scope/token/info")).to route_to("doorkeeper/token_info#show")
-  end
-end

data/spec/spec_helper.rb DELETED Viewed

@@ -1,54 +0,0 @@
-# frozen_string_literal: true
-require "coveralls"
-Coveralls.wear!("rails") do
-  add_filter("/spec/")
-  add_filter("/lib/generators/doorkeeper/templates/")
-end
-ENV["RAILS_ENV"] ||= "test"
-$LOAD_PATH.unshift File.dirname(__FILE__)
-require "#{File.dirname(__FILE__)}/support/doorkeeper_rspec.rb"
-DOORKEEPER_ORM = Doorkeeper::RSpec.detect_orm
-require "dummy/config/environment"
-require "rspec/rails"
-require "capybara/rspec"
-require "database_cleaner"
-require "generator_spec/test_case"
-# Load JRuby SQLite3 if in that platform
-if defined? JRUBY_VERSION
-  require "jdbc/sqlite3"
-  Jdbc::SQLite3.load_driver
-end
-Doorkeeper::RSpec.print_configuration_info
-require "support/orm/#{DOORKEEPER_ORM}"
-Dir["#{File.dirname(__FILE__)}/support/{dependencies,helpers,shared}/*.rb"].sort.each { |file| require file }
-RSpec.configure do |config|
-  config.infer_spec_type_from_file_location!
-  config.mock_with :rspec
-  config.infer_base_class_for_anonymous_controllers = false
-  config.include RSpec::Rails::RequestExampleGroup, type: :request
-  config.before do
-    DatabaseCleaner.start
-    Doorkeeper.configure { orm DOORKEEPER_ORM }
-  end
-  config.after do
-    DatabaseCleaner.clean
-  end
-  config.order = "random"
-end

data/spec/spec_helper_integration.rb DELETED Viewed

@@ -1,4 +0,0 @@
-# frozen_string_literal: true
-# For compatibility only
-require "spec_helper"

data/spec/support/dependencies/factory_bot.rb DELETED Viewed

@@ -1,4 +0,0 @@
-# frozen_string_literal: true
-require "factory_bot"
-FactoryBot.find_definitions

data/spec/support/helpers/access_token_request_helper.rb DELETED Viewed

@@ -1,14 +0,0 @@
-# frozen_string_literal: true
-module AccessTokenRequestHelper
-  def client_is_authorized(client, resource_owner, access_token_attributes = {})
-    attributes = {
-      application: client,
-      resource_owner_id: resource_owner.id,
-      resource_owner_type: resource_owner.class.name,
-    }.merge(access_token_attributes)
-    FactoryBot.create(:access_token, attributes)
-  end
-end
-RSpec.configuration.send :include, AccessTokenRequestHelper