doorkeeper-mongodb 5.2.1 → 5.2.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5d0a38ac3113c658f1734bcafc4400ad23b43868a9eed97e7e132d05dd25a6a5
-  data.tar.gz: 74e4f1804b455188ecb88401e934e5c8074d8d3bf9836e009c8ee7c24c0e961b
+  metadata.gz: 6ca032c54f4098b2652bde530b4cc204b124d76e5d066ddd04d302302dd854b7
+  data.tar.gz: 24fe8d9ad134bcd6eba2b8f9ae8e76b956d0e5eabe527ecece33c8ed51211049
 SHA512:
-  metadata.gz: c8749be507eea672fb6cc7f19ce28595c9ef675a0b5bb1e739f2faf5aae4537fe0275d43c4acba3f7507225102ff2bca2796b58f630edc438e229d31ae4bd799
-  data.tar.gz: 2b09f98f420b2993cbe903773a9cb5aac22281235a55515afbbb98c596a5ad2562612700b20d5a477fa52f4df924e7c9ff9ff913677947629dfe8a854432390d
+  metadata.gz: 3ff745bcac86d2cc5c10d8e7548c487fce3626e9570da0f66e1fc47de25bf5f5b323dd650512b14b4e248567e278a66707a1d2af52e0e15f5d9f14af9eda68e8
+  data.tar.gz: 7cdb26333c287aa9731561a4b9e59dd9115a1205be92e6e1a4e2686bcfb5d5d67b77609ec3aeff94a00dc2f96decce40ce7f55d748cc461c709b35a4fa6cedee

data/lib/doorkeeper-mongodb.rb

@@ -17,6 +17,7 @@ require "doorkeeper/orm/concerns/mongoid/ownership"
 require "doorkeeper/orm/concerns/mongoid/resource_ownerable"
 
 require "doorkeeper-mongodb/mixins/mongoid/base_mixin"
+require "doorkeeper-mongodb/mixins/mongoid/json_serializable"
 require "doorkeeper-mongodb/mixins/mongoid/access_grant_mixin"
 require "doorkeeper-mongodb/mixins/mongoid/access_token_mixin"
 require "doorkeeper-mongodb/mixins/mongoid/application_mixin"

data/lib/doorkeeper-mongodb/mixins/mongoid/access_grant_mixin.rb

@@ -14,6 +14,7 @@ module DoorkeeperMongodb
         include Doorkeeper::Models::SecretStorable
         include Doorkeeper::Orm::Concerns::Mongoid::ResourceOwnerable
         include BaseMixin
+        include JsonSerializable
 
         included do
           belongs_to_opts = {

data/lib/doorkeeper-mongodb/mixins/mongoid/access_token_mixin.rb

@@ -15,6 +15,7 @@ module DoorkeeperMongodb
         include Doorkeeper::Models::SecretStorable
         include Doorkeeper::Orm::Concerns::Mongoid::ResourceOwnerable
         include BaseMixin
+        include JsonSerializable
 
         included do
           belongs_to_opts = {

data/lib/doorkeeper-mongodb/mixins/mongoid/application_mixin.rb

@@ -51,6 +51,82 @@ module DoorkeeperMongodb
           validate :scopes_match_configured, if: :enforce_scopes?
 
           before_validation :generate_uid, :generate_secret, on: :create
+
+          # Represents client as set of it's attributes in JSON format.
+          # This is the right way how we want to override ActiveRecord #to_json.
+          #
+          # Respects privacy settings and serializes minimum set of attributes
+          # for public/private clients and full set for authorized owners.
+          #
+          # @return [Hash] entity attributes for JSON
+          #
+          def as_json(options = {})
+            # if application belongs to some owner we need to check if it's the same as
+            # the one passed in the options or check if we render the client as an owner
+            if (respond_to?(:owner) && owner && owner == options[:current_resource_owner]) ||
+               options[:as_owner]
+              # Owners can see all the client attributes, fallback to ActiveModel serialization
+              super
+            else
+              # if application has no owner or it's owner doesn't match one from the options
+              # we render only minimum set of attributes that could be exposed to a public
+              only = extract_serializable_attributes(options)
+              super(options.merge(only: only))
+            end
+          end
+
+          def serializable_hash(options = nil)
+            hash = super
+            if hash.key?("_id")
+              hash["id"] = hash.delete("_id")
+            elsif options && Array.wrap(options[:only].map(&:to_sym)).include?(:id)
+              hash["id"] = id.to_s
+            end
+            hash
+          end
+
+          # Helper method to extract collection of serializable attribute names
+          # considering serialization options (like `only`, `except` and so on).
+          #
+          # @param options [Hash] serialization options
+          #
+          # @return [Array<String>]
+          #   collection of attributes to be serialized using #as_json
+          #
+          def extract_serializable_attributes(options = {})
+            opts = options.try(:dup) || {}
+            only = Array.wrap(opts[:only]).map(&:to_s)
+
+            only = if only.blank?
+                     serializable_attributes
+                   else
+                     only & serializable_attributes
+                   end
+
+            only -= Array.wrap(opts[:except]).map(&:to_s) if opts.key?(:except)
+            only.uniq
+          end
+
+          # We need to hook into this method to allow serializing plan-text secrets
+          # when secrets hashing enabled.
+          #
+          # @param key [String] attribute name
+          #
+          def read_attribute_for_serialization(key)
+            return super unless key.to_s == "secret"
+
+            plaintext_secret || secret
+          end
+
+          # Collection of attributes that could be serialized for public.
+          # Override this method if you need additional attributes to be serialized.
+          #
+          # @return [Array<String>] collection of serializable attributes
+          def serializable_attributes
+            attributes = %w[id name created_at]
+            attributes << "uid" unless confidential?
+            attributes
+          end
         end
 
         module ClassMethods

data/lib/doorkeeper-mongodb/mixins/mongoid/base_mixin.rb

@@ -17,14 +17,6 @@ module DoorkeeperMongodb
             nil
           end
         end
-
-        def as_json(*args)
-          json_response = super
-
-          json_response["id"] = json_response["_id"]
-
-          json_response
-        end
       end
     end
   end

data/lib/doorkeeper-mongodb/mixins/mongoid/json_serializable.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module DoorkeeperMongodb
+  module Mixins
+    module Mongoid
+      module JsonSerializable
+        extend ActiveSupport::Concern
+
+        def as_json(*args)
+          json = super
+          json["id"] = json.delete("_id") if json.key?("_id")
+          json
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper-mongodb/version.rb

@@ -9,7 +9,7 @@ module DoorkeeperMongodb
     # Semver
     MAJOR = 5
     MINOR = 2
-    TINY = 1
+    TINY = 2
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY].compact.join(".")

data/spec/controllers/application_metal_controller_spec.rb

@@ -2,8 +2,8 @@
 
 require "spec_helper_integration"
 
-describe Doorkeeper::ApplicationMetalController do
-  controller(Doorkeeper::ApplicationMetalController) do
+RSpec.describe Doorkeeper::ApplicationMetalController do
+  controller(described_class) do
     def index
       render json: {}, status: 200
     end
@@ -23,7 +23,7 @@ describe Doorkeeper::ApplicationMetalController do
   describe "enforce_content_type" do
     before { allow(Doorkeeper.config).to receive(:enforce_content_type).and_return(flag) }
 
-    context "enabled" do
+    context "when enabled" do
       let(:flag) { true }
 
       it "returns a 200 for the requests without body" do
@@ -42,7 +42,7 @@ describe Doorkeeper::ApplicationMetalController do
       end
     end
 
-    context "disabled" do
+    context "when disabled" do
       let(:flag) { false }
 
       it "returns a 200 for the correct media type" do

data/spec/controllers/applications_controller_spec.rb

@@ -2,132 +2,154 @@
 
 require "spec_helper"
 
-module Doorkeeper
-  describe ApplicationsController do
-    context "JSON API" do
-      render_views
+RSpec.describe Doorkeeper::ApplicationsController do
+  render_views
 
-      before do
-        allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
-        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
-      end
+  context "when JSON API used" do
+    before do
+      allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+      allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+    end
 
-      it "creates an application" do
-        expect do
-          post :create, params: {
-            doorkeeper_application: {
-              name: "Example",
-              redirect_uri: "https://example.com",
-            }, format: :json,
-          }
-        end.to(change { Doorkeeper::Application.count })
+    it "creates an application" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+            redirect_uri: "https://example.com",
+          }, format: :json,
+        }
+      end.to(change { Doorkeeper::Application.count })
 
-        expect(response).to be_successful
+      expect(response).to be_successful
 
-        expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+      expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
 
-        application = Application.last
-        secret_from_response = json_response["secret"]
-        expect(application.secret_matches?(secret_from_response)).to be_truthy
+      application = Doorkeeper::Application.last
+      secret_from_response = json_response["secret"]
+      expect(application).to be_secret_matches(secret_from_response)
 
-        expect(json_response["name"]).to eq("Example")
-        expect(json_response["redirect_uri"]).to eq("https://example.com")
-      end
+      expect(json_response["name"]).to eq("Example")
+      expect(json_response["redirect_uri"]).to eq("https://example.com")
+    end
 
-      it "returns validation errors on wrong create params" do
-        expect do
-          post :create, params: {
-            doorkeeper_application: {
-              name: "Example",
-            }, format: :json,
-          }
-        end.not_to(change { Doorkeeper::Application.count })
+    it "returns validation errors on wrong create params" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+          }, format: :json,
+        }
+      end.not_to(change { Doorkeeper::Application.count })
 
-        expect(response).to have_http_status(422)
+      expect(response).to have_http_status(422)
 
-        expect(json_response).to include("errors")
-      end
+      expect(json_response).to include("errors")
+    end
 
-      it "returns validations on wrong create params (unspecified scheme)" do
-        expect do
-          post :create, params: {
-            doorkeeper_application: {
-              name: "Example",
-              redirect_uri: "app.com:80",
-            }, format: :json,
-          }
-        end.not_to(change { Doorkeeper::Application.count })
+    it "returns validations on wrong create params (unspecified scheme)" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+            redirect_uri: "app.com:80",
+          }, format: :json,
+        }
+      end.not_to(change { Doorkeeper::Application.count })
 
-        expect(response).to have_http_status(422)
+      expect(response).to have_http_status(422)
 
-        expect(json_response).to include("errors")
-      end
+      expect(json_response).to include("errors")
+    end
 
-      it "returns application info" do
-        application = FactoryBot.create(:application, name: "Change me")
+    it "returns application info" do
+      application = FactoryBot.create(:application, name: "Change me")
 
-        get :show, params: { id: application.id, format: :json }
+      get :show, params: { id: application.id, format: :json }
 
-        expect(response).to be_successful
+      expect(response).to be_successful
 
-        expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
-      end
+      expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+    end
 
-      it "updates application" do
-        application = FactoryBot.create(:application, name: "Change me")
+    it "updates application" do
+      application = FactoryBot.create(:application, name: "Change me")
 
-        put :update, params: {
-          id: application.id,
-          doorkeeper_application: {
-            name: "Example App",
-            redirect_uri: "https://example.com",
-          }, format: :json,
-        }
+      put :update, params: {
+        id: application.id,
+        doorkeeper_application: {
+          name: "Example App",
+          redirect_uri: "https://example.com",
+        }, format: :json,
+      }
 
-        expect(application.reload.name).to eq "Example App"
+      expect(application.reload.name).to eq "Example App"
 
-        expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
-      end
+      expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+    end
 
-      it "returns validation errors on wrong update params" do
-        application = FactoryBot.create(:application, name: "Change me")
+    it "returns validation errors on wrong update params" do
+      application = FactoryBot.create(:application, name: "Change me")
 
-        put :update, params: {
-          id: application.id,
-          doorkeeper_application: {
-            name: "Example App",
-            redirect_uri: "localhost:3000",
-          }, format: :json,
-        }
+      put :update, params: {
+        id: application.id,
+        doorkeeper_application: {
+          name: "Example App",
+          redirect_uri: "localhost:3000",
+        }, format: :json,
+      }
 
-        expect(response).to have_http_status(422)
+      expect(response).to have_http_status(422)
 
-        expect(json_response).to include("errors")
-      end
+      expect(json_response).to include("errors")
+    end
 
-      it "destroys an application" do
-        application = FactoryBot.create(:application)
+    it "destroys an application" do
+      application = FactoryBot.create(:application)
 
-        delete :destroy, params: { id: application.id, format: :json }
+      delete :destroy, params: { id: application.id, format: :json }
 
-        expect(response).to have_http_status(204)
-        expect(Application.count).to be_zero
-      end
+      expect(response).to have_http_status(204)
+      expect(Doorkeeper::Application.count).to be_zero
     end
+  end
 
-    context "when admin is not authenticated" do
-      before do
-        allow(Doorkeeper.config).to receive(:authenticate_admin).and_return(proc do
-          redirect_to main_app.root_url
-        end)
-      end
+  context "when admin is not authenticated" do
+    before do
+      allow(Doorkeeper.config).to receive(:authenticate_admin).and_return(proc do
+        redirect_to main_app.root_url
+      end)
+    end
+
+    it "redirects as set in Doorkeeper.authenticate_admin" do
+      get :index
+      expect(response).to redirect_to(controller.main_app.root_url)
+    end
+
+    it "does not create application" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+            redirect_uri: "https://example.com",
+          },
+        }
+      end.not_to(change { Doorkeeper::Application.count })
+    end
+  end
+
+  context "when admin is authenticated" do
+    before do
+      allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+    end
 
-      it "redirects as set in Doorkeeper.authenticate_admin" do
-        get :index
-        expect(response).to redirect_to(controller.main_app.root_url)
+    context "when application secrets are hashed" do
+      before do
+        allow(Doorkeeper.configuration)
+          .to receive(:application_secret_strategy).and_return(Doorkeeper::SecretStoring::Sha256Hash)
       end
 
-      it "does not create application" do
+      it "shows the application secret after creating a new application" do
         expect do
           post :create, params: {
             doorkeeper_application: {
@@ -135,140 +157,114 @@ module Doorkeeper
               redirect_uri: "https://example.com",
             },
           }
-        end.not_to(change { Doorkeeper::Application.count })
-      end
-    end
+        end.to change { Doorkeeper::Application.count }.by(1)
 
-    context "when admin is authenticated" do
-      context "when application secrets are hashed" do
-        before do
-          allow(Doorkeeper.configuration)
-            .to receive(:application_secret_strategy).and_return(Doorkeeper::SecretStoring::Sha256Hash)
-        end
-
-        it "shows the application secret after creating a new application" do
-          expect do
-            post :create, params: {
-              doorkeeper_application: {
-                name: "Example",
-                redirect_uri: "https://example.com",
-              },
-            }
-          end.to change { Doorkeeper::Application.count }.by(1)
-
-          application = Application.last
-
-          secret_from_flash = flash[:application_secret]
-          expect(secret_from_flash).not_to be_empty
-          expect(application.secret_matches?(secret_from_flash)).to be_truthy
-          expect(response).to redirect_to(controller.main_app.oauth_application_url(application.id))
-
-          get :show, params: { id: application.id, format: :html }
-
-          # We don't know the application secret here (because its hashed) so we can not assert its text on the page
-          # Instead, we read it from the page and then check if it matches the application secret
-          code_element = %r{<code.*id="secret".*>(.*)<\/code>}.match(response.body)
-          secret_from_page = code_element[1]
-
-          expect(response.body).to have_selector("code#application_id", text: application.uid)
-          expect(response.body).to have_selector("code#secret")
-          expect(secret_from_page).not_to be_empty
-          expect(application.secret_matches?(secret_from_page)).to be_truthy
-        end
-
-        it "does not show an application secret when application did already exist" do
-          application = FactoryBot.create(:application)
-          get :show, params: { id: application.id, format: :html }
-
-          expect(response.body).to have_selector("code#application_id", text: application.uid)
-          expect(response.body).to have_selector("code#secret", text: "")
-        end
-
-        it "returns the application details in a json response" do
-          expect do
-            post :create, params: {
-              doorkeeper_application: {
-                name: "Example",
-                redirect_uri: "https://example.com",
-              }, format: :json,
-            }
-          end.to(change { Doorkeeper::Application.count })
-
-          expect(response).to be_successful
-
-          expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
-
-          application = Application.last
-          secret_from_response = json_response["secret"]
-          expect(application.secret_matches?(secret_from_response)).to be_truthy
-
-          expect(json_response["name"]).to eq("Example")
-          expect(json_response["redirect_uri"]).to eq("https://example.com")
-        end
-      end
+        application = Doorkeeper::Application.last
 
-      render_views
+        secret_from_flash = flash[:application_secret]
+        expect(secret_from_flash).not_to be_empty
+        expect(application).to be_secret_matches(secret_from_flash)
+        expect(response).to redirect_to(controller.main_app.oauth_application_url(application.id))
 
-      before do
-        allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
-      end
+        get :show, params: { id: application.id, format: :html }
+
+        # We don't know the application secret here (because its hashed) so we can not assert its text on the page
+        # Instead, we read it from the page and then check if it matches the application secret
+        code_element = /code.*id="secret">\s*\K([^<]*)/m.match(response.body)
+        secret_from_page = code_element[1].strip
 
-      it "sorts applications by created_at" do
-        first_application = FactoryBot.create(:application)
-        second_application = FactoryBot.create(:application)
-        expect(Doorkeeper::Application).to receive(:ordered_by).and_call_original
+        expect(response.body).to have_selector("code#application_id", text: application.uid)
+        expect(response.body).to have_selector("code#secret")
+        expect(secret_from_page).not_to be_empty
+        expect(application).to be_secret_matches(secret_from_page)
+      end
 
-        get :index
+      it "does not show an application secret when application did already exist" do
+        application = FactoryBot.create(:application)
+        get :show, params: { id: application.id, format: :html }
 
-        expect(response.body).to have_selector("tbody tr:first-child#application_#{first_application.id}")
-        expect(response.body).to have_selector("tbody tr:last-child#application_#{second_application.id}")
+        expect(response.body).to have_selector("code#application_id", text: application.uid)
+        expect(response.body).to have_selector("code#secret", text: "")
       end
 
-      it "creates application" do
+      it "returns the application details in a json response" do
         expect do
           post :create, params: {
             doorkeeper_application: {
               name: "Example",
               redirect_uri: "https://example.com",
-            },
+            }, format: :json,
           }
-        end.to change { Doorkeeper::Application.count }.by(1)
+        end.to(change { Doorkeeper::Application.count })
 
-        expect(response).to be_redirect
-      end
+        expect(response).to be_successful
 
-      it "shows application details" do
-        application = FactoryBot.create(:application)
-        get :show, params: { id: application.id, format: :html }
+        expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
 
-        expect(response.body).to have_selector("code#application_id", text: application.uid)
-        expect(response.body).to have_selector("code#secret", text: application.plaintext_secret)
+        application = Doorkeeper::Application.last
+        secret_from_response = json_response["secret"]
+        expect(application).to be_secret_matches(secret_from_response)
+
+        expect(json_response["name"]).to eq("Example")
+        expect(json_response["redirect_uri"]).to eq("https://example.com")
       end
+    end
 
-      it "does not allow mass assignment of uid or secret" do
-        application = FactoryBot.create(:application)
-        put :update, params: {
-          id: application.id,
-          doorkeeper_application: {
-            uid: "1A2B3C4D",
-            secret: "1A2B3C4D",
-          },
-        }
+    it "sorts applications by created_at" do
+      first_application = FactoryBot.create(:application)
+      second_application = FactoryBot.create(:application)
+      expect(Doorkeeper::Application).to receive(:ordered_by).and_call_original
 
-        expect(application.reload.uid).not_to eq "1A2B3C4D"
-      end
+      get :index
 
-      it "updates application" do
-        application = FactoryBot.create(:application)
-        put :update, params: {
-          id: application.id, doorkeeper_application: {
+      expect(response.body).to have_selector("tbody tr:first-child#application_#{first_application.id}")
+      expect(response.body).to have_selector("tbody tr:last-child#application_#{second_application.id}")
+    end
+
+    it "creates application" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
             name: "Example",
             redirect_uri: "https://example.com",
           },
         }
+      end.to change { Doorkeeper::Application.count }.by(1)
 
-        expect(application.reload.name).to eq "Example"
-      end
+      expect(response).to be_redirect
+    end
+
+    it "shows application details" do
+      application = FactoryBot.create(:application)
+      get :show, params: { id: application.id, format: :html }
+
+      expect(response.body).to have_selector("code#application_id", text: application.uid)
+      expect(response.body).to have_selector("code#secret", text: application.plaintext_secret)
+    end
+
+    it "does not allow mass assignment of uid or secret" do
+      application = FactoryBot.create(:application)
+      put :update, params: {
+        id: application.id,
+        doorkeeper_application: {
+          uid: "1A2B3C4D",
+          secret: "1A2B3C4D",
+        },
+      }
+
+      expect(application.reload.uid).not_to eq "1A2B3C4D"
+    end
+
+    it "updates application" do
+      application = FactoryBot.create(:application)
+      put :update, params: {
+        id: application.id, doorkeeper_application: {
+          name: "Example",
+          redirect_uri: "https://example.com",
+        },
+      }
+
+      expect(application.reload.name).to eq "Example"
     end
   end
 end