RubyGems - doorkeeper-mongodb - Versions diffs - 4.1.0 → 4.2.0 - Mend

doorkeeper-mongodb 4.1.0 → 4.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f009bcd545db95148b7441726ddaabda60b2615c
-  data.tar.gz: 4620f129281ca9234faeea8e9441b19aad3a9b72
+  metadata.gz: a558006d5a226503b88524ec1c356bcdbad72f0d
+  data.tar.gz: beb6f775648e48fe6bf29b4e36113a2ffca80be0
 SHA512:
-  metadata.gz: 3d681c085a19d8eaa8aefed5e58f843058bf32cfac55870a0a34defda18b0a3f30387b55e913d21dd8fe72bb5e92c1159bbf97f01ae21aebaa42a027b548e662
-  data.tar.gz: 62285da14c7af1084ed80db5b58ff393aabfd13dc5433862f482d2b57423ea7bda5f149e6161c164650f2178130c74454a41f24b6a56b2f21395f70420aa609c
+  metadata.gz: 05274c1bf97ca17ee906633a123e225a4530ff7700e8c75db33fd75cc725bec4e3964fe6bda687a071cfb98f4997cb193a8bef7e992c72812552e138929e7801
+  data.tar.gz: d7d7d2943fd868850d2cdd15d26002f4fa9c07aad461652fab739b233612fb95c91db80f8333dc2b7e3480bdfdeb2172b13a67a45d4ed763e3dae4cdc8b42374

data/README.md CHANGED

@@ -6,12 +6,21 @@
 `doorkeeper-mongodb` provides [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) support to
 [MongoMapper](https://github.com/mongomapper/mongomapper) and [Mongoid](https://github.com/mongodb/mongoid)
-(2, 3, 4 and 5 for doorkeeper-mongodb `3.0` and 4, 5, 6 and 7beta for version `4.0`). To start using it, add
+(2, 3, 4 and 5 for doorkeeper-mongodb `3.0` and 4, 5, 6 and 7 for version `4.0` and higher). To start using it, add
 to your Gemfile:
 ``` ruby
-gem 'doorkeeper', '~> 4.0'
-gem 'doorkeeper-mongodb', '~> 4.0'
+# For Doorkeeper < 4.4
+gem 'doorkeeper', '~> 4.3'
+gem 'doorkeeper-mongodb', '~> 4.1.0'
+# For Doorkeeper >= 4.4 && < 5.0
+gem 'doorkeeper', '~> 4.4'
+gem 'doorkeeper-mongodb', '~> 4.2'
+# For Doorkeeper >= 5.0
+gem 'doorkeeper', '~> 5.0'
+gem 'doorkeeper-mongodb', '~> 5.0'
 # or if you want to use cutting edge version:
 # gem 'doorkeeper-mongodb', github: 'doorkeeper-gem/doorkeeper-mongodb'
@@ -30,7 +39,7 @@ Set the ORM configuration:
 ``` ruby
 Doorkeeper.configure do
-  orm :mongoid6 # or :mongoid7 (beta), :mongoid4, :mongoid5, :mongo_mapper
+  orm :mongoid6 # or :mongoid7, :mongoid4, :mongoid5, :mongo_mapper
 end
 ```
@@ -72,6 +81,7 @@ variables defined in `.travis.yml` file.
 To run locally, you need to choose a gemfile, with a command similar to:
 ```
+$ export RAILS=5.1
 $ export BUNDLE_GEMFILE=$PWD/gemfiles/Gemfile.mongoid6.rb
 ```

data/lib/doorkeeper-mongodb/mixins/mongo_mapper/access_token_mixin.rb CHANGED

@@ -176,7 +176,7 @@ module DoorkeeperMongodb
         #   The OAuth 2.0 Authorization Framework: Bearer Token Usage
         #
         def token_type
-          'bearer'
+          'Bearer'
         end
         def use_refresh_token?

data/lib/doorkeeper-mongodb/mixins/mongo_mapper/application_mixin.rb CHANGED

@@ -15,6 +15,7 @@ module DoorkeeperMongodb
           validates :name, :secret, :uid, presence: true
           validates :uid, uniqueness: true
           validates :redirect_uri, redirect_uri: true
+          validates :confidential, inclusion: { in: [true, false] }
           before_validation :generate_uid, :generate_secret, on: :create
@@ -34,7 +35,11 @@ module DoorkeeperMongodb
           #   if there is no record with such credentials
           #
           def by_uid_and_secret(uid, secret)
-            where(uid: uid.to_s, secret: secret.to_s).first
+            app = by_uid(uid)
+            return unless app
+            return app if secret.blank? && !app.confidential
+            return unless app.secret == secret
+            app
           end
           # Returns an instance of the Doorkeeper::Application with specific UID.
@@ -47,8 +52,30 @@ module DoorkeeperMongodb
           def by_uid(uid)
             where(uid: uid.to_s).first
           end
+          def supports_confidentiality?
+            if respond_to?(:column_names)
+              column_names.include?("confidential")
+            else
+              fields.include?("confidential")
+            end
+          end
         end
+        # Fallback to existing, default behaviour of assuming all apps to be
+        # confidential if the migration hasn't been run
+        def confidential
+          return super if self.class.supports_confidentiality?
+          ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
+            'CVE-2018-1000211. Please follow instructions outlined in ' \
+            'Doorkeeper::CVE_2018_1000211_WARNING'
+          true
+        end
+        alias_method :confidential?, :confidential
         private
         def has_scopes?

data/lib/doorkeeper-mongodb/mixins/mongoid/access_token_mixin.rb CHANGED

@@ -186,7 +186,7 @@ module DoorkeeperMongodb
         #   The OAuth 2.0 Authorization Framework: Bearer Token Usage
         #
         def token_type
-          'bearer'
+          'Bearer'
         end
         def use_refresh_token?

data/lib/doorkeeper-mongodb/mixins/mongoid/application_mixin.rb CHANGED

@@ -24,6 +24,7 @@ module DoorkeeperMongodb
           validates :name, :secret, :uid, presence: true
           validates :uid, uniqueness: true
           validates :redirect_uri, redirect_uri: true
+          validates :confidential, inclusion: { in: [true, false] }
           before_validation :generate_uid, :generate_secret, on: :create
@@ -43,7 +44,11 @@ module DoorkeeperMongodb
           #   if there is no record with such credentials
           #
           def by_uid_and_secret(uid, secret)
-            where(uid: uid.to_s, secret: secret.to_s).first
+            app = by_uid(uid)
+            return unless app
+            return app if secret.blank? && !app.confidential?
+            return unless app.secret == secret
+            app
           end
           # Returns an instance of the Doorkeeper::Application with specific UID.
@@ -56,8 +61,30 @@ module DoorkeeperMongodb
           def by_uid(uid)
             where(uid: uid.to_s).first
           end
+          def supports_confidentiality?
+            if respond_to?(:column_names)
+              column_names.include?("confidential")
+            else
+              fields.include?("confidential")
+            end
+          end
         end
+        # Fallback to existing, default behaviour of assuming all apps to be
+        # confidential if the migration hasn't been run
+        def confidential
+          return super if self.class.supports_confidentiality?
+          ActiveSupport::Deprecation.warn 'You are susceptible to security bug ' \
+            'CVE-2018-1000211. Please follow instructions outlined in ' \
+            'Doorkeeper::CVE_2018_1000211_WARNING'
+          true
+        end
+        alias_method :confidential?, :confidential
         private
         def has_scopes?

data/lib/doorkeeper-mongodb/version.rb CHANGED

@@ -6,7 +6,7 @@ module DoorkeeperMongodb
   module VERSION
     # Semver
     MAJOR = 4
-    MINOR = 1
+    MINOR = 2
     TINY = 0
     # Full version number

data/lib/doorkeeper/orm/mongo_mapper/application.rb CHANGED

@@ -17,6 +17,7 @@ module Doorkeeper
     key :uid,          String
     key :secret,       String
     key :redirect_uri, String
+    key :confidential, Boolean, default: true
     key :scopes,       String
     def self.authorized_for(resource_owner)

data/lib/doorkeeper/orm/mongoid4/application.rb CHANGED

@@ -14,6 +14,7 @@ module Doorkeeper
     field :uid, type: String
     field :secret, type: String
     field :redirect_uri, type: String
+    field :confidential, type: Boolean, default: true
     index({ uid: 1 }, unique: true)

data/lib/doorkeeper/orm/mongoid5/application.rb CHANGED

@@ -14,6 +14,7 @@ module Doorkeeper
     field :uid, type: String
     field :secret, type: String
     field :redirect_uri, type: String
+    field :confidential, type: Boolean, default: true
     index({ uid: 1 }, unique: true)

data/lib/doorkeeper/orm/mongoid6/application.rb CHANGED

@@ -14,6 +14,7 @@ module Doorkeeper
     field :uid, type: String
     field :secret, type: String
     field :redirect_uri, type: String
+    field :confidential, type: Boolean, default: true
     index({ uid: 1 }, unique: true)

data/lib/doorkeeper/orm/mongoid7/application.rb CHANGED

@@ -14,6 +14,7 @@ module Doorkeeper
     field :uid, type: String
     field :secret, type: String
     field :redirect_uri, type: String
+    field :confidential, type: Boolean, default: true
     index({ uid: 1 }, unique: true)

data/spec/controllers/authorizations_controller_spec.rb CHANGED

@@ -54,7 +54,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
     it 'includes token type in fragment' do
-      expect(response.query_params['token_type']).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('Bearer')
     end
     it 'includes token expiration in fragment' do
@@ -164,6 +164,38 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     it 'should not issue a token' do
       expect(Doorkeeper::AccessToken.count).to be 0
     end
+    context 'with opt_out_native_route_change' do
+      around(:each) do |example|
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+          opt_out_native_route_change
+        end
+        Rails.application.reload_routes!
+        example.run
+        Doorkeeper.configure do
+          orm DOORKEEPER_ORM
+        end
+        Rails.application.reload_routes!
+      end
+      it 'should redirect immediately' do
+        expect(response).to be_redirect
+        expect(response.location).to match(/oauth\/authorize\/#{Doorkeeper::AccessGrant.first.token}/)
+      end
+      it 'should issue a grant' do
+        expect(Doorkeeper::AccessGrant.count).to be 1
+      end
+      it 'should not issue a token' do
+        expect(Doorkeeper::AccessToken.count).to be 0
+      end
+    end
   end
   describe 'GET #new with skip_authorization true' do
@@ -184,7 +216,7 @@ describe Doorkeeper::AuthorizationsController, 'implicit grant flow' do
     end
     it 'includes token type in fragment' do
-      expect(response.query_params['token_type']).to eq('bearer')
+      expect(response.query_params['token_type']).to eq('Bearer')
     end
     it 'includes token expiration in fragment' do

data/spec/controllers/tokens_controller_spec.rb CHANGED

@@ -59,15 +59,67 @@ describe Doorkeeper::TokensController do
     end
   end
-  describe 'when revoke authorization has failed' do
-    # http://tools.ietf.org/html/rfc7009#section-2.2
-    it 'returns no error response' do
-      token = double(:token, authorize: false, application_id?: true)
-      allow(controller).to receive(:token) { token }
+  # http://tools.ietf.org/html/rfc7009#section-2.2
+  describe 'revoking tokens' do
+    let(:client) { FactoryBot.create(:application) }
+    let(:access_token) { FactoryBot.create(:access_token, application: client) }
+    before(:each) do
+      allow(controller).to receive(:token) { access_token }
+    end
+    context 'when associated app is public' do
+      let(:client) { FactoryBot.create(:application, confidential: false) }
+      it 'returns 200' do
+        post :revoke
+        expect(response.status).to eq 200
+      end
+      it 'revokes the access token' do
+        post :revoke
+        expect(access_token.reload).to have_attributes(revoked?: true)
+      end
+    end
+    context 'when associated app is confidential' do
+      let(:client) { FactoryBot.create(:application, confidential: true) }
+      let(:oauth_client) { Doorkeeper::OAuth::Client.new(client) }
-      post :revoke
+      before(:each) do
+        allow_any_instance_of(Doorkeeper::Server).to receive(:client) { oauth_client }
+      end
+      it 'returns 200' do
+        post :revoke
+        expect(response.status).to eq 200
+      end
+      it 'revokes the access token' do
+        post :revoke
+        expect(access_token.reload).to have_attributes(revoked?: true)
+      end
+      context 'when authorization fails' do
+        let(:some_other_client) { FactoryBot.create(:application, confidential: true) }
+        let(:oauth_client) { Doorkeeper::OAuth::Client.new(some_other_client) }
+        it 'returns 200' do
+          post :revoke
-      expect(response.status).to eq 200
+          expect(response.status).to eq 200
+        end
+        it 'does not revoke the access token' do
+          post :revoke
+          expect(access_token.reload).to have_attributes(revoked?: false)
+        end
+      end
     end
   end

data/spec/dummy/config/initializers/doorkeeper.rb CHANGED

@@ -29,6 +29,11 @@ Doorkeeper.configure do
   # Issue access tokens with refresh token (disabled by default)
   use_refresh_token
+  # Opt out of breaking api change to the native authorization code flow. Opting out sets the authorization
+  # code response route for native redirect uris to oauth/authorize/<code>. The default is oauth/authorize/native?code=<code>.
+  # Rationale: https://github.com/doorkeeper-gem/doorkeeper/issues/1143
+  # opt_out_native_route_change
   # Provide support for an owner to be assigned to each registered application (disabled by default)
   # Optional parameter confirmation: true (default false) if you want to enforce ownership of
   # a registered application
@@ -84,6 +89,17 @@ Doorkeeper.configure do
   #
   # grant_flows %w[authorization_code client_credentials]
+  # Hook into the strategies' request & response life-cycle in case your
+  # application needs advanced customization or logging:
+  #
+  # before_successful_strategy_response do |request|
+  #   puts "BEFORE HOOK FIRED! #{request}"
+  # end
+  #
+  # after_successful_strategy_response do |request, response|
+  #   puts "AFTER HOOK FIRED! #{request}, #{response}"
+  # end
   # Under some circumstances you might want to have applications auto-approved,
   # so that the user skips the authorization step.
   # For example if dealing with a trusted application.

data/spec/dummy/db/migrate/20111122132257_create_users.rb CHANGED

@@ -1,4 +1,6 @@
-class CreateUsers < ActiveRecord::Migration
+# frozen_string_literal: true
+class CreateUsers < ActiveRecord::Migration[4.2]
   def change
     create_table :users do |t|
       t.string :name

data/spec/dummy/db/migrate/20120312140401_add_password_to_users.rb CHANGED

@@ -1,4 +1,6 @@
-class AddPasswordToUsers < ActiveRecord::Migration
+# frozen_string_literal: true
+class AddPasswordToUsers < ActiveRecord::Migration[4.2]
   def change
     add_column :users, :password, :string
   end

data/spec/dummy/db/migrate/20151223192035_create_doorkeeper_tables.rb CHANGED

@@ -1,4 +1,6 @@
-class CreateDoorkeeperTables < ActiveRecord::Migration
+# frozen_string_literal: true
+class CreateDoorkeeperTables < ActiveRecord::Migration[4.2]
   def change
     create_table :oauth_applications do |t|
       t.string  :name,         null: false

data/spec/dummy/db/migrate/20151223200000_add_owner_to_application.rb CHANGED

@@ -1,4 +1,6 @@
-class AddOwnerToApplication < ActiveRecord::Migration
+# frozen_string_literal: true
+class AddOwnerToApplication < ActiveRecord::Migration[4.2]
   def change
     add_column :oauth_applications, :owner_id, :integer, null: true
     add_column :oauth_applications, :owner_type, :string, null: true

data/spec/dummy/db/migrate/20160320211015_add_previous_refresh_token_to_access_tokens.rb CHANGED

@@ -1,4 +1,6 @@
-class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration
+# frozen_string_literal: true
+class AddPreviousRefreshTokenToAccessTokens < ActiveRecord::Migration[4.2]
   def change
     add_column(
       :oauth_access_tokens,

data/spec/dummy/db/migrate/20180210183654_add_confidential_to_application.rb ADDED

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+class AddConfidentialToApplication < ActiveRecord::Migration[5.1]
+  def change
+    add_column(
+      :oauth_applications,
+      :confidential,
+      :boolean,
+      null: false,
+      default: true # maintaining backwards compatibility: require secrets
+    )
+  end
+end