doorkeeper-mongodb 5.5.0 → 5.5.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 31397e2cb87670cde0c3c5eb8bd487a864e14c11dfcedc868c5fd1e2b4683e87
-  data.tar.gz: 534a2ce1dd42bc361839b31e96a54491b2142b1366a46590a719ee071b835b36
+  metadata.gz: 2831ead15c9f00179162bc0910a5f9a5fea4cd0644c2f81aa201f3d6d2d4363e
+  data.tar.gz: 230f38a7299782c778763e3524230b4678cf175a7a5a19e7f65d8caed861a84a
 SHA512:
-  metadata.gz: 2debfbe47ca1743bae09ae241245438a56454b4850cf6d833c337fe8e1e79a21e396fbaaafd52ec7eb14c49a7342c573f45d4e2feac4ca8ebdb2cddb285dfadb
-  data.tar.gz: 5a74a5c8666980b4af1c88427ab692d2aecb049fe918605558223eee48a3b9df1403ab13a3b3448c8645804ec46c67966f0e07e0925bb99ce92fb9ca1cf4830d
+  metadata.gz: 7bc1982e16ab6ff9e76116fa67070fd86b4e61bba9e50cce7bdaccb4c2e197f5bcd83ad929f43d8cc7c63f253b0265d3d90b97dd1862a22d06a0e2b5336349d4
+  data.tar.gz: e2153799788547fef7eed3982889e3b06f55fad4bfa0af23546b3e9da2f437bd161356e6f3b9604c43650ccc000b271b5a766c88d10183f49a319e73b8c15fba

data/lib/doorkeeper-mongodb/mixins/mongoid/application_mixin.rb

@@ -36,7 +36,8 @@ module DoorkeeperMongodb
           has_many :access_grants, has_many_options.merge(class_name: access_grants_class_name)
           has_many :access_tokens, has_many_options.merge(class_name: access_tokens_class_name)
 
-          validates_presence_of :name, :secret, :uid
+          validates_presence_of :name, :uid
+          validates_presence_of :secret, if: :secret_required?
           validates_uniqueness_of :uid
 
           # Before Doorkeeper 5.2.3
@@ -243,11 +244,16 @@ module DoorkeeperMongodb
 
         def generate_secret
           return if secret.present?
+          return unless secret_required?
 
           @raw_secret = UniqueToken.generate
           secret_strategy.store_secret(self, :secret, @raw_secret)
         end
 
+        def secret_required?
+          confidential?
+        end
+
         def scopes_match_configured
           if scopes.present? &&
              !ScopeChecker.valid?(scope_str: scopes.to_s,

data/lib/doorkeeper-mongodb/mixins/mongoid/base_mixin.rb

@@ -7,6 +7,14 @@ module DoorkeeperMongodb
         extend ActiveSupport::Concern
 
         module ClassMethods
+          # No-op for Mongoid. Doorkeeper 5.9+ uses with_primary_role to
+          # ensure writes go to the primary database when ActiveRecord read
+          # replicas are configured. Mongoid doesn't have this concept, so
+          # we simply yield.
+          def with_primary_role
+            yield
+          end
+
           def ordered_by(attribute, direction = :asc)
             order_by(attribute => direction.to_sym)
           end

data/lib/doorkeeper-mongodb/version.rb

@@ -9,7 +9,7 @@ module DoorkeeperMongodb
     # Semver
     MAJOR = 5
     MINOR = 5
-    TINY = 0
+    TINY = 1
 
     # Full version number
     STRING = [MAJOR, MINOR, TINY].compact.join(".")

data/spec/controllers/application_metal_controller_spec.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+require "spec_helper_integration"
+
+RSpec.describe Doorkeeper::ApplicationMetalController, type: :controller do
+  render_views
+
+  controller(described_class) do
+    def index
+      render json: {}, status: 200
+    end
+
+    def create
+      render json: {}, status: 200
+    end
+  end
+
+  it "lazy run hooks" do
+    i = 0
+    ActiveSupport.on_load(:doorkeeper_metal_controller) { i += 1 }
+
+    expect(i).to eq 1
+  end
+
+  describe "enforce_content_type" do
+    before { allow(Doorkeeper.config).to receive(:enforce_content_type).and_return(flag) }
+
+    context "when enabled" do
+      let(:flag) { true }
+
+      it "returns a 200 for the requests without body" do
+        get :index, params: {}
+        expect(response).to have_http_status 200
+      end
+
+      it "returns a 200 for the requests with body and correct media type" do
+        post :create, params: {}, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it "returns a 415 for the requests with body and incorrect media type" do
+        post :create, params: {}, as: :json
+        expect(response).to have_http_status 415
+      end
+    end
+
+    context "when disabled" do
+      let(:flag) { false }
+
+      it "returns a 200 for the correct media type" do
+        get :index, as: :url_encoded_form
+        expect(response).to have_http_status 200
+      end
+
+      it "returns a 200 for an incorrect media type" do
+        get :index, as: :json
+        expect(response).to have_http_status 200
+      end
+
+      it "returns a 200 for the requests with body and incorrect media type" do
+        post :create, params: {}, as: :json
+        expect(response).to have_http_status 200
+      end
+    end
+  end
+end

data/spec/controllers/applications_controller_spec.rb

@@ -0,0 +1,270 @@
+# frozen_string_literal: true
+
+require "spec_helper"
+
+RSpec.describe Doorkeeper::ApplicationsController, type: :controller do
+  render_views
+
+  context "when JSON API used" do
+    before do
+      allow(Doorkeeper.configuration).to receive(:api_only).and_return(true)
+      allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+    end
+
+    it "creates an application" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+            redirect_uri: "https://example.com",
+          }, format: :json,
+        }
+      end.to(change { Doorkeeper::Application.count })
+
+      expect(response).to be_successful
+
+      expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+
+      application = Doorkeeper::Application.last
+      secret_from_response = json_response["secret"]
+      expect(application).to be_secret_matches(secret_from_response)
+
+      expect(json_response["name"]).to eq("Example")
+      expect(json_response["redirect_uri"]).to eq("https://example.com")
+    end
+
+    it "returns validation errors on wrong create params" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+          }, format: :json,
+        }
+      end.not_to(change { Doorkeeper::Application.count })
+
+      expect(response).to have_http_status(422)
+
+      expect(json_response).to include("errors")
+    end
+
+    it "returns validations on wrong create params (unspecified scheme)" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+            redirect_uri: "app.com:80",
+          }, format: :json,
+        }
+      end.not_to(change { Doorkeeper::Application.count })
+
+      expect(response).to have_http_status(422)
+
+      expect(json_response).to include("errors")
+    end
+
+    it "returns application info" do
+      application = FactoryBot.create(:application, name: "Change me")
+
+      get :show, params: { id: application.id, format: :json }
+
+      expect(response).to be_successful
+
+      expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+    end
+
+    it "updates application" do
+      application = FactoryBot.create(:application, name: "Change me")
+
+      put :update, params: {
+        id: application.id,
+        doorkeeper_application: {
+          name: "Example App",
+          redirect_uri: "https://example.com",
+        }, format: :json,
+      }
+
+      expect(application.reload.name).to eq "Example App"
+
+      expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+    end
+
+    it "returns validation errors on wrong update params" do
+      application = FactoryBot.create(:application, name: "Change me")
+
+      put :update, params: {
+        id: application.id,
+        doorkeeper_application: {
+          name: "Example App",
+          redirect_uri: "localhost:3000",
+        }, format: :json,
+      }
+
+      expect(response).to have_http_status(422)
+
+      expect(json_response).to include("errors")
+    end
+
+    it "destroys an application" do
+      application = FactoryBot.create(:application)
+
+      delete :destroy, params: { id: application.id, format: :json }
+
+      expect(response).to have_http_status(204)
+      expect(Doorkeeper::Application.count).to be_zero
+    end
+  end
+
+  context "when admin is not authenticated" do
+    before do
+      allow(Doorkeeper.config).to receive(:authenticate_admin).and_return(proc do
+        redirect_to main_app.root_url
+      end)
+    end
+
+    it "redirects as set in Doorkeeper.authenticate_admin" do
+      get :index
+      expect(response).to redirect_to(controller.main_app.root_url)
+    end
+
+    it "does not create application" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+            redirect_uri: "https://example.com",
+          },
+        }
+      end.not_to(change { Doorkeeper::Application.count })
+    end
+  end
+
+  context "when admin is authenticated" do
+    before do
+      allow(Doorkeeper.configuration).to receive(:authenticate_admin).and_return(->(*) { true })
+    end
+
+    context "when application secrets are hashed" do
+      before do
+        allow(Doorkeeper.configuration)
+          .to receive(:application_secret_strategy).and_return(Doorkeeper::SecretStoring::Sha256Hash)
+      end
+
+      it "shows the application secret after creating a new application" do
+        expect do
+          post :create, params: {
+            doorkeeper_application: {
+              name: "Example",
+              redirect_uri: "https://example.com",
+            },
+          }
+        end.to change { Doorkeeper::Application.count }.by(1)
+
+        application = Doorkeeper::Application.last
+
+        secret_from_flash = flash[:application_secret]
+        expect(secret_from_flash).not_to be_empty
+        expect(application).to be_secret_matches(secret_from_flash)
+        expect(response).to redirect_to(controller.main_app.oauth_application_url(application.id))
+
+        get :show, params: { id: application.id, format: :html }
+
+        # We don't know the application secret here (because its hashed) so we can not assert its text on the page
+        # Instead, we read it from the page and then check if it matches the application secret
+        code_element = /code.*id="secret">\s*\K([^<]*)/m.match(response.body)
+        secret_from_page = code_element[1].strip
+
+        expect(response.body).to have_selector("code#application_id", text: application.uid)
+        expect(response.body).to have_selector("code#secret")
+        expect(secret_from_page).not_to be_empty
+        expect(application).to be_secret_matches(secret_from_page)
+      end
+
+      it "does not show an application secret when application did already exist" do
+        application = FactoryBot.create(:application)
+        get :show, params: { id: application.id, format: :html }
+
+        expect(response.body).to have_selector("code#application_id", text: application.uid)
+        expect(response.body).to have_selector("code#secret", text: "")
+      end
+
+      it "returns the application details in a json response" do
+        expect do
+          post :create, params: {
+            doorkeeper_application: {
+              name: "Example",
+              redirect_uri: "https://example.com",
+            }, format: :json,
+          }
+        end.to(change { Doorkeeper::Application.count })
+
+        expect(response).to be_successful
+
+        expect(json_response).to include("id", "name", "uid", "secret", "redirect_uri", "scopes")
+
+        application = Doorkeeper::Application.last
+        secret_from_response = json_response["secret"]
+        expect(application).to be_secret_matches(secret_from_response)
+
+        expect(json_response["name"]).to eq("Example")
+        expect(json_response["redirect_uri"]).to eq("https://example.com")
+      end
+    end
+
+    it "sorts applications by created_at" do
+      first_application = FactoryBot.create(:application)
+      second_application = FactoryBot.create(:application)
+      expect(Doorkeeper::Application).to receive(:ordered_by).and_call_original
+
+      get :index
+
+      expect(response.body).to have_selector("tbody tr:first-child#application_#{first_application.id}")
+      expect(response.body).to have_selector("tbody tr:last-child#application_#{second_application.id}")
+    end
+
+    it "creates application" do
+      expect do
+        post :create, params: {
+          doorkeeper_application: {
+            name: "Example",
+            redirect_uri: "https://example.com",
+          },
+        }
+      end.to change { Doorkeeper::Application.count }.by(1)
+
+      expect(response).to be_redirect
+    end
+
+    it "shows application details" do
+      application = FactoryBot.create(:application)
+      get :show, params: { id: application.id, format: :html }
+
+      expect(response.body).to have_selector("code#application_id", text: application.uid)
+      expect(response.body).to have_selector("code#secret", text: application.plaintext_secret)
+    end
+
+    it "does not allow mass assignment of uid or secret" do
+      application = FactoryBot.create(:application)
+      put :update, params: {
+        id: application.id,
+        doorkeeper_application: {
+          uid: "1A2B3C4D",
+          secret: "1A2B3C4D",
+        },
+      }
+
+      expect(application.reload.uid).not_to eq "1A2B3C4D"
+    end
+
+    it "updates application" do
+      application = FactoryBot.create(:application)
+      put :update, params: {
+        id: application.id, doorkeeper_application: {
+          name: "Example",
+          redirect_uri: "https://example.com",
+        },
+      }
+
+      expect(application.reload.name).to eq "Example"
+    end
+  end
+end