RubyGems - doorkeeper-mongodb - Versions diffs - 4.1.0 → 4.2.0 - Mend

doorkeeper-mongodb 4.1.0 → 4.2.0

Files changed (51) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f009bcd545db95148b7441726ddaabda60b2615c
-  data.tar.gz: 4620f129281ca9234faeea8e9441b19aad3a9b72
+  metadata.gz: a558006d5a226503b88524ec1c356bcdbad72f0d
+  data.tar.gz: beb6f775648e48fe6bf29b4e36113a2ffca80be0
 SHA512:
-  metadata.gz: 3d681c085a19d8eaa8aefed5e58f843058bf32cfac55870a0a34defda18b0a3f30387b55e913d21dd8fe72bb5e92c1159bbf97f01ae21aebaa42a027b548e662
-  data.tar.gz: 62285da14c7af1084ed80db5b58ff393aabfd13dc5433862f482d2b57423ea7bda5f149e6161c164650f2178130c74454a41f24b6a56b2f21395f70420aa609c
+  metadata.gz: 05274c1bf97ca17ee906633a123e225a4530ff7700e8c75db33fd75cc725bec4e3964fe6bda687a071cfb98f4997cb193a8bef7e992c72812552e138929e7801
+  data.tar.gz: d7d7d2943fd868850d2cdd15d26002f4fa9c07aad461652fab739b233612fb95c91db80f8333dc2b7e3480bdfdeb2172b13a67a45d4ed763e3dae4cdc8b42374

data/README.md CHANGED

@@ -6,12 +6,21 @@
 `doorkeeper-mongodb` provides [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) support to
 [MongoMapper](https://github.com/mongomapper/mongomapper) and [Mongoid](https://github.com/mongodb/mongoid)
-(2, 3, 4 and 5 for doorkeeper-mongodb `3.0` and 4, 5, 6 and 7beta for version `4.0`). To start using it, add
+(2, 3, 4 and 5 for doorkeeper-mongodb `3.0` and 4, 5, 6 and 7 for version `4.0` and higher). To start using it, add
 to your Gemfile:
 ``` ruby
-gem 'doorkeeper', '~> 4.0'
-gem 'doorkeeper-mongodb', '~> 4.0'
+# For Doorkeeper < 4.4
+gem 'doorkeeper', '~> 4.3'
+gem 'doorkeeper-mongodb', '~> 4.1.0'
+# For Doorkeeper >= 4.4 && < 5.0
+gem 'doorkeeper', '~> 4.4'
+gem 'doorkeeper-mongodb', '~> 4.2'
+# For Doorkeeper >= 5.0
+gem 'doorkeeper', '~> 5.0'
+gem 'doorkeeper-mongodb', '~> 5.0'
 # or if you want to use cutting edge version:
 # gem 'doorkeeper-mongodb', github: 'doorkeeper-gem/doorkeeper-mongodb'
@@ -30,7 +39,7 @@ Set the ORM configuration:
 ``` ruby
 Doorkeeper.configure do
-  orm :mongoid6 # or :mongoid7 (beta), :mongoid4, :mongoid5, :mongo_mapper
+  orm :mongoid6 # or :mongoid7, :mongoid4, :mongoid5, :mongo_mapper
 end
 ```
@@ -72,6 +81,7 @@ variables defined in `.travis.yml` file.
 To run locally, you need to choose a gemfile, with a command similar to:
 ```
+$ export RAILS=5.1
 $ export BUNDLE_GEMFILE=$PWD/gemfiles/Gemfile.mongoid6.rb
 ```

data/lib/doorkeeper-mongodb/mixins/mongo_mapper/access_token_mixin.rb CHANGED

@@ -176,7 +176,7 @@ module DoorkeeperMongodb
         #   The OAuth 2.0 Authorization Framework: Bearer Token Usage
         #
         def token_type
-          'bearer'
+          'Bearer'
         end
         def use_refresh_token?

data/lib/doorkeeper-mongodb/mixins/mongo_mapper/application_mixin.rb CHANGED

@@ -15,6 +15,7 @@ module DoorkeeperMongodb
           validates :name, :secret, :uid, presence: true
           validates :uid, uniqueness: true
           validates :redirect_uri, redirect_uri: true
+          validates :confidential, inclusion: { in: [true, false] }
           before_validation :generate_uid, :generate_secret, on: :create
@@ -34,7 +35,11 @@ module DoorkeeperMongodb
           #   if there is no record with such credentials
           #
           def by_uid_and_secret(uid, secret)
-            where(uid: uid.to_s, secret: secret.to_s).first
+            app = by_uid(uid)
+            return unless app
+            return app if secret.blank? && !app.confidential
+            return unless app.secret == secret
+            app
           end
           # Returns an instance of the Doorkeeper::Application with specific UID.
@@ -47,8 +52,30 @@ module DoorkeeperMongodb
           def by_uid(uid)
             where(uid: uid.to_s).first
           end
+          def supports_confidentiality?
+            if respond_to?(:column_names)
+              column_names.include?("confidential")
+            else
+              fields.include?("confidential")
+            end
+          end
         end
+        # Fallback to existing, default behaviour of assuming all apps to be
+        # confidential if the migration hasn't been run
+        def confidential
+          return super if self.class.supports_confidentiality?
+          ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
+            'CVE-2018-1000211. Please follow instructions outlined in ' \
+            'Doorkeeper::CVE_2018_1000211_WARNING'
+          true
+        end
+        alias_method :confidential?, :confidential
         private
         def has_scopes?

data/lib/doorkeeper-mongodb/mixins/mongoid/access_token_mixin.rb CHANGED

@@ -186,7 +186,7 @@ module DoorkeeperMongodb
         #   The OAuth 2.0 Authorization Framework: Bearer Token Usage
         #
         def token_type
-          'bearer'
+          'Bearer'
         end
         def use_refresh_token?

data/lib/doorkeeper-mongodb/mixins/mongoid/application_mixin.rb CHANGED

@@ -24,6 +24,7 @@ module DoorkeeperMongodb
           validates :name, :secret, :uid, presence: true
           validates :uid, uniqueness: true
           validates :redirect_uri, redirect_uri: true
+          validates :confidential, inclusion: { in: [true, false] }
           before_validation :generate_uid, :generate_secret, on: :create
@@ -43,7 +44,11 @@ module DoorkeeperMongodb
           #   if there is no record with such credentials
           #
           def by_uid_and_secret(uid, secret)
-            where(uid: uid.to_s, secret: secret.to_s).first
+            app = by_uid(uid)
+            return unless app
+            return app if secret.blank? && !app.confidential?
+            return unless app.secret == secret
+            app
           end
           # Returns an instance of the Doorkeeper::Application with specific UID.
@@ -56,8 +61,30 @@ module DoorkeeperMongodb
           def by_uid(uid)
             where(uid: uid.to_s).first
           end
+          def supports_confidentiality?
+            if respond_to?(:column_names)
+              column_names.include?("confidential")
+            else
+              fields.include?("confidential")
+            end
+          end
         end
+        # Fallback to existing, default behaviour of assuming all apps to be
+        # confidential if the migration hasn't been run
+        def confidential
+          return super if self.class.supports_confidentiality?
+          ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
+            'CVE-2018-1000211. Please follow instructions outlined in ' \
+            'Doorkeeper::CVE_2018_1000211_WARNING'
+          true
+        end
+        alias_method :confidential?, :confidential
         private
         def has_scopes?

data/lib/doorkeeper-mongodb/version.rb CHANGED

@@ -6,7 +6,7 @@ module DoorkeeperMongodb
   module VERSION
     # Semver
     MAJOR = 4
-    MINOR = 1
+    MINOR = 2
     TINY = 0
     # Full version number

data/lib/doorkeeper/orm/mongo_mapper/application.rb CHANGED

@@ -17,6 +17,7 @@ module Doorkeeper
     key :uid,          String
     key :secret,       String
     key :redirect_uri, String
+    key :confidential, Boolean, default: true
     key :scopes,       String
     def self.authorized_for(resource_owner)

data/lib/doorkeeper/orm/mongoid4/application.rb CHANGED

@@ -14,6 +14,7 @@ module Doorkeeper
     field :uid, type: String
     field :secret, type: String
     field :redirect_uri, type: String
+    field :confidential, type: Boolean, default: true
     index({ uid: 1 }, unique: true)

data/lib/doorkeeper/orm/mongoid5/application.rb CHANGED

@@ -14,6 +14,7 @@ module Doorkeeper
     field :uid, type: String
     field :secret, type: String
     field :redirect_uri, type: String
+    field :confidential, type: Boolean, default: true
     index({ uid: 1 }, unique: true)

data/lib/doorkeeper/orm/mongoid6/application.rb CHANGED

@@ -14,6 +14,7 @@ module Doorkeeper
     field :uid, type: String
     field :secret, type: String
     field :redirect_uri, type: String
+    field :confidential, type: Boolean, default: true
     index({ uid: 1 }, unique: true)

data/lib/doorkeeper/orm/mongoid7/application.rb CHANGED

@@ -14,6 +14,7 @@ module Doorkeeper
     field :uid, type: String
     field :secret, type: String
     field :redirect_uri, type: String
+    field :confidential, type: Boolean, default: true
     index({ uid: 1 }, unique: true)

data/spec/controllers/authorizations_controller_spec.rb CHANGED

@@ -54,7 +54,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
     it 'includes token type in fragment' do
-      expect(response.query_params['token_type']).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('Bearer')
     end
     it 'includes token expiration in fragment' do
@@ -164,6 +164,38 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     it 'should not issue a token' do
       expect(Doorkeeper::AccessToken.count).to be 0
     end
+    context 'with opt_out_native_route_change' do
+      around(:each) do |example|
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          opt_out_native_route_change
+        end
+        Rails.application.reload_routes!
+        example.run
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+        end
+        Rails.application.reload_routes!
+      end
+      it 'should redirect immediately' do
+        expect(response).to be_redirect
+        expect(response.location).to match(/oauth\/authorize\/#{Doorkeeper::AccessGrant.first.token}/)
+      end
+      it 'should issue a grant' do
+        expect(Doorkeeper::AccessGrant.count).to be 1
+      end
+      it 'should not issue a token' do
+        expect(Doorkeeper::AccessToken.count).to be 0
+      end
+    end
   end
   describe 'GET #new with skip_authorization true' do
@@ -184,7 +216,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
     it 'includes token type in fragment' do
-      expect(response.query_params['token_type']).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('Bearer')
     end
     it 'includes token expiration in fragment' do

data/spec/controllers/tokens_controller_spec.rb CHANGED

@@ -59,15 +59,67 @@ describe Doorkeeper::TokensController do
     end
   end
-  describe 'when revoke authorization has failed' do
-    # http://tools.ietf.org/html/rfc7009#section-2.2
-    it 'returns no error response' do
-      token = double(:token, authorize: false, application_id?: true)
-      allow(controller).to receive(:token) { token }
+  # http://tools.ietf.org/html/rfc7009#section-2.2
+  describe 'revoking tokens' do
+    let(:client) { FactoryBot.create(:application) }
+    let(:access_token) { FactoryBot.create(:access_token, application: client) }
+    before(:each) do
+      allow(controller).to receive(:token) { access_token }
+    end
+    context 'when associated app is public' do
+      let(:client) { FactoryBot.create(:application, confidential: false) }
+      it 'returns 200' do
+        post :revoke
+        expect(response.status).to eq 200
+      end
+      it 'revokes the access token' do
+        post :revoke
+        expect(access_token.reload).to have_attributes(revoked?: true)
+      end
+    end
+    context 'when associated app is confidential' do
+      let(:client) { FactoryBot.create(:application, confidential: true) }
+      let(:oauth_client) { Doorkeeper::OAuth::Client.new(client) }
-      post :revoke
+      before(:each) do
+        allow_any_instance_of(Doorkeeper::Server).to receive(:client) { oauth_client }
+      end
+      it 'returns 200' do
+        post :revoke
+        expect(response.status).to eq 200
+      end
+      it 'revokes the access token' do
+        post :revoke
+        expect(access_token.reload).to have_attributes(revoked?: true)
+      end
+      context 'when authorization fails' do
+        let(:some_other_client) { FactoryBot.create(:application, confidential: true) }
+        let(:oauth_client) { Doorkeeper::OAuth::Client.new(some_other_client) }
+        it 'returns 200' do
+          post :revoke
-      expect(response.status).to eq 200
+          expect(response.status).to eq 200
+        end
+        it 'does not revoke the access token' do
+          post :revoke
+          expect(access_token.reload).to have_attributes(revoked?: false)
+        end
+      end
     end
   end

data/spec/dummy/config/initializers/doorkeeper.rb CHANGED

@@ -29,6 +29,11 @@ Doorkeeper.configure do
   # Issue access tokens with refresh token (disabled by default)
   use_refresh_token
+  # Opt out of breaking api change to the native authorization code flow. Opting out sets the authorization
+  # code response route for native redirect uris to oauth/authorize/<code>. The default is oauth/authorize/native?code=<code>.
+  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
+  # opt_out_native_route_change
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
@@ -84,6 +89,17 @@ Doorkeeper.configure do
   #
   # grant_flows %w[authorization_code client_credentials]
+  # Hook into the strategies' request & response life-cycle in case your
+  # application needs advanced customization or logging:
+  #
+  # before_successful_strategy_response do |request|
+  #   puts "BEFORE HOOK FIRED! #{request}"
+  # end
+  #
+  # after_successful_strategy_response do |request, response|
+  #   puts "AFTER HOOK FIRED! #{request}, #{response}"
+  # end
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.

data/spec/dummy/db/migrate/20111122132257_create_users.rb CHANGED

@@ -1,4 +1,6 @@
-class CreateUsers < ActiveRecord::Migration
+# frozen_string_literal: true
+class CreateUsers < ActiveRecord::Migration[4.2]
   def change
     create_table :users do |t|
       t.string :name

data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb CHANGED

@@ -1,4 +1,6 @@
-class AddPasswordToUsers < ActiveRecord::Migration
+# frozen_string_literal: true
+class AddPasswordToUsers < ActiveRecord::Migration[4.2]
   def change
     add_column :users, :password, :string
   end

data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb CHANGED

@@ -1,4 +1,6 @@
-class CreateDoorkeeperTables < ActiveRecord::Migration
+# frozen_string_literal: true
+class CreateDoorkeeperTables < ActiveRecord::Migration[4.2]
   def change
     create_table :oauth_applications do |t|
       t.string  :name,         null: false

data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb CHANGED

@@ -1,4 +1,6 @@
-class AddOwnerToApplication < ActiveRecord::Migration
+# frozen_string_literal: true
+class AddOwnerToApplication < ActiveRecord::Migration[4.2]
   def change
     add_column :oauth_applications, :owner_id, :integer, null: true
     add_column :oauth_applications, :owner_type, :string, null: true

data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb CHANGED

@@ -1,4 +1,6 @@
-class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration
+# frozen_string_literal: true
+class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration[4.2]
   def change
     add_column(
       :oauth_access_tokens,

data/spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb ADDED

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+class AddConfidentialToApplication < ActiveRecord::Migration[5.1]
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true # maintaining backwards compatibility: require secrets
+    )
+  end
+end