doorkeeper-sequel 1.5.0 → 2.4.0

data/gemfiles/rails-6.0.gemfile

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+
+gemspec path: ".."
+
+gem "bcrypt", "~> 3.1"
+gem "rails", "~> 6.0.0", "<= 6.1"
+gem "sequel", ">= 4.0"
+gem "sqlite3", "~> 1.3.5"
+
+group :test do
+  gem "rspec-rails", "~> 4.0"
+end

data/lib/doorkeeper-sequel.rb

@@ -1,28 +1,32 @@
-require 'doorkeeper-sequel/version'
+# frozen_string_literal: true
 
-if defined?(::Rails)
-  require 'doorkeeper-sequel/railtie'
-end
+require "doorkeeper-sequel/version"
+
+require "doorkeeper-sequel/railtie" if defined?(::Rails)
 
-require 'doorkeeper'
-require 'thor/group'
+require "doorkeeper"
+require "doorkeeper/redirect_uri_validator"
+require "doorkeeper/oauth/nonstandard"
+require "thor/group"
 
-require 'doorkeeper-sequel/generators/concerns/migration_actions'
-require 'doorkeeper-sequel/generators/application_owner_generator'
-require 'doorkeeper-sequel/generators/migration_generator'
-require 'doorkeeper-sequel/generators/previous_refresh_token_generator'
+require "doorkeeper-sequel/generators/concerns/migration_actions"
+require "doorkeeper-sequel/generators/application_owner_generator"
+require "doorkeeper-sequel/generators/migration_generator"
+require "doorkeeper-sequel/generators/previous_refresh_token_generator"
+require "doorkeeper-sequel/generators/confidential_applications_generator"
+require "doorkeeper-sequel/generators/polymorphic_resource_owner_generator"
 
-require 'doorkeeper-sequel/mixins/concerns/sequel_compat'
-require 'doorkeeper-sequel/mixins/access_token_mixin'
-require 'doorkeeper-sequel/mixins/access_grant_mixin'
-require 'doorkeeper-sequel/mixins/application_mixin'
+require "doorkeeper-sequel/mixins/concerns/sequel_compat"
+require "doorkeeper-sequel/mixins/access_token_mixin"
+require "doorkeeper-sequel/mixins/access_grant_mixin"
+require "doorkeeper-sequel/mixins/application_mixin"
 
-require 'doorkeeper/orm/sequel'
+require "doorkeeper/orm/sequel"
 
 module DoorkeeperSequel
   def load_locales
-    locales_dir = File.expand_path('../../config/locales', __FILE__)
-    locales = Dir[File.join(locales_dir, '*.yml')]
+    locales_dir = File.expand_path("../config/locales", __dir__)
+    locales = Dir[File.join(locales_dir, "*.yml")]
 
     I18n.load_path |= locales
   end

data/lib/doorkeeper-sequel/gem_version.rb

@@ -1,13 +1,15 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   def self.gem_version
     Gem::Version.new VERSION::STRING
   end
 
   module VERSION
-    MAJOR = 1
-    MINOR = 5
+    MAJOR = 2
+    MINOR = 4
     TINY  = 0
 
-    STRING = [MAJOR, MINOR, TINY].compact.join('.')
+    STRING = [MAJOR, MINOR, TINY].compact.join(".")
   end
 end

data/lib/doorkeeper-sequel/generators/application_owner_generator.rb

@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class ApplicationOwnerGenerator < ::Thor::Group
     include ::Thor::Actions
     include MigrationActions
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path("templates", __dir__)
 
-    desc 'Provide support for client application ownership.'
+    desc "Provide support for client application ownership."
 
     def install
-      create_migration 'add_owner_to_application.rb'
+      create_migration "add_owner_to_application.rb"
     end
   end
 end

data/lib/doorkeeper-sequel/generators/concerns/migration_actions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module MigrationActions
     extend ::ActiveSupport::Concern
@@ -9,7 +11,7 @@ module DoorkeeperSequel
     end
 
     def migration_template
-      File.expand_path('../templates/migration.rb', __FILE__)
+      File.expand_path("templates/migration.rb", __dir__)
     end
 
     private
@@ -19,20 +21,20 @@ module DoorkeeperSequel
     end
 
     def new_migration_number
-      current_number = current_migration_number('db/migrate')
+      current_number = current_migration_number("db/migrate")
 
       # possible numeric migration
-      if current_number && current_number.start_with?('0')
+      if current_number&.start_with?("0")
         # generate the same name as used by the developer
-        "%.#{current_number.length}d" % (current_number.to_i + 1)
+        format("%.#{current_number.length}d", (current_number.to_i + 1))
       else
-        Time.now.utc.strftime('%Y%m%d%H%M%S')
+        Time.now.utc.strftime("%Y%m%d%H%M%S")
       end
     end
 
     def current_migration_number(dirname)
       migration_lookup_at(dirname).collect do |file|
-        File.basename(file).split('_').first
+        File.basename(file).split("_").first
       end.max
     end
 

data/lib/doorkeeper-sequel/generators/confidential_applications_generator.rb

@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class ConfidentialApplicationsGenerator < ::Thor::Group
     include ::Thor::Actions
     include MigrationActions
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path("templates", __dir__)
 
-    desc 'Add confidential column to Doorkeeper applications.'
+    desc "Add confidential column to Doorkeeper applications."
 
     def install
-      create_migration 'add_confidential_to_application_migration'
+      create_migration "add_confidential_to_application_migration"
     end
   end
 end

data/lib/doorkeeper-sequel/generators/migration_generator.rb

@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class MigrationGenerator < ::Thor::Group
     include ::Thor::Actions
     include MigrationActions
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path("templates", __dir__)
 
-    desc 'Installs Doorkeeper Sequel migration file.'
+    desc "Installs Doorkeeper Sequel migration file."
 
     def install
-      create_migration 'create_doorkeeper_tables.rb'
+      create_migration "create_doorkeeper_tables.rb"
     end
   end
 end

data/lib/doorkeeper-sequel/generators/pkce_generator.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module DoorkeeperSequel
+  class PkceGenerator < ::Thor::Group
+    include ::Thor::Actions
+    include MigrationActions
+
+    source_root File.expand_path("templates", __dir__)
+
+    desc "Provide support for PKCE."
+
+    def install
+      create_migration "enable_pkce_migration.rb.erb"
+    end
+  end
+end

data/lib/doorkeeper-sequel/generators/polymorphic_resource_owner_generator.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+module DoorkeeperSequel
+  class PolymorphicResourceOwnerGenerator < ::Thor::Group
+    include ::Thor::Actions
+    include MigrationActions
+
+    source_root File.expand_path("templates", __dir__)
+
+    desc "Provide support for Polymorphic Resource Owner."
+
+    def install
+      create_migration "enable_polymorphic_resource_owner_migration.rb.erb"
+    end
+  end
+end

data/lib/doorkeeper-sequel/generators/previous_refresh_token_generator.rb

@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class PreviousRefreshTokenGenerator < ::Thor::Group
     include ::Thor::Actions
     include MigrationActions
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path("templates", __dir__)
 
-    desc 'Support revoke refresh token on access token use'
+    desc "Support revoke refresh token on access token use"
 
     def install
-      create_migration 'add_previous_refresh_token_to_access_tokens.rb'
+      create_migration "add_previous_refresh_token_to_access_tokens.rb"
     end
   end
 end

data/lib/doorkeeper-sequel/generators/templates/add_confidential_to_application_migration.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     alter_table(:oauth_applications) do

data/lib/doorkeeper-sequel/generators/templates/add_owner_to_application.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     alter_table(:oauth_applications) do
       add_column :owner_id, Integer, null: true
       add_column :owner_type, String, null: true
-      add_index [:owner_id, :owner_type]
+      add_index %i[owner_id owner_type]
     end
   end
 end

data/lib/doorkeeper-sequel/generators/templates/add_previous_refresh_token_to_access_tokens.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     alter_table(:oauth_access_tokens) do
-      add_column :previous_refresh_token, String, default: '', null: false
+      add_column :previous_refresh_token, String, default: "", null: false
     end
   end
 end

data/lib/doorkeeper-sequel/generators/templates/create_doorkeeper_tables.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     create_table :oauth_applications do
@@ -7,7 +9,7 @@ Sequel.migration do
       column :uid, String, size: 255, null: false, index: { unique: true }
       column :secret, String, size: 255, null: false
 
-      column :scopes, String, size: 255, null: false, default: ''
+      column :scopes, String, size: 255, null: false, default: ""
       column :redirect_uri, String
       column :confidential, TrueClass, null: false, default: true
 
@@ -19,7 +21,8 @@ Sequel.migration do
       primary_key :id
       foreign_key :application_id, :oauth_applications, null: false, on_delete: :cascade
 
-      column :resource_owner_id, Integer, null: false
+      column :resource_owner_id, Integer, null: false, index: true
+      column :resource_owner_type, String, null: false, index: true
 
       column :token, String, size: 255, null: false, index: { unique: true }
       column :expires_in, Integer, null: false
@@ -34,6 +37,7 @@ Sequel.migration do
       foreign_key :application_id, :oauth_applications, null: false, on_delete: :cascade
 
       column :resource_owner_id, Integer, index: true
+      column :resource_owner_type, String, index: true
 
       # If you use a custom token generator you may need to change this column
       # from string to text, so that it accepts tokens larger than 255
@@ -50,7 +54,7 @@ Sequel.migration do
       # previous tokens are revoked as soon as a new access token is created.
       # Comment out this line if you'd rather have refresh tokens
       # instantly revoked.
-      column :previous_refresh_token, String, size: 255, null: false, default: ''
+      column :previous_refresh_token, String, size: 255, null: false, default: ""
       column :expires_in, Integer
       column :revoked_at, DateTime
       column :created_at, DateTime, null: false

data/lib/doorkeeper-sequel/generators/templates/enable_pkce_migration.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  change do
+    alter_table(:oauth_access_grants) do
+      add_column :code_challenge, String, null: true
+      add_column :code_challenge_method, String, null: true
+    end
+  end
+end

data/lib/doorkeeper-sequel/generators/templates/enable_polymorphic_resource_owner_migration.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+Sequel.migration do
+  change do
+    alter_table(:oauth_access_grants) do
+      add_column :resource_owner_type, String, default: nil
+      add_index [:resource_owner_id, :resource_owner_type]
+    end
+	
+    alter_table(:oauth_access_tokens) do
+      add_column :resource_owner_type, String, default: nil
+      add_index [:resource_owner_id, :resource_owner_type]
+    end
+  end
+end

data/lib/doorkeeper-sequel/mixins/access_grant_mixin.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module AccessGrantMixin
     extend ActiveSupport::Concern
@@ -7,16 +9,17 @@ module DoorkeeperSequel
     include Doorkeeper::Models::Expirable
     include Doorkeeper::Models::Revocable
     include Doorkeeper::Models::Accessible
+    include Doorkeeper::Models::SecretStorable
     include Doorkeeper::Models::Scopes
 
     included do
       plugin :validation_helpers
       plugin :timestamps
-
-      many_to_one :application, class: 'Doorkeeper::Application'
+      many_to_one :application, class: "Doorkeeper::Application"
 
       set_allowed_columns :resource_owner_id, :application_id,
-                          :expires_in, :redirect_uri, :scopes
+                          :expires_in, :redirect_uri, :scopes, :code_challenge, :code_challenge_method,
+                          :token
 
       def before_validation
         generate_token if new?
@@ -25,22 +28,57 @@ module DoorkeeperSequel
 
       def validate
         super
-        validates_presence [:resource_owner_id, :application_id,
-                            :token, :expires_in, :redirect_uri]
+        validates_presence %i[resource_owner_id application_id
+                              token expires_in redirect_uri]
         validates_unique [:token]
       end
     end
 
     module ClassMethods
       def by_token(token)
-        first(token: token.to_s)
+        find_by_plaintext_token(:token, token)
+      end
+
+      def find_by(params)
+        first(params)
+      end
+
+      def revoke_all_for(application_id, resource_owner, clock = Time)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner.id,
+              revoked_at: nil)
+          .update(revoked_at: clock.now.utc)
+      end
+
+      def generate_code_challenge(code_verifier)
+        padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
+        padded_result.split("=")[0] # Remove any trailing '='
+      end
+
+      def pkce_supported?
+        new.pkce_supported?
+      end
+
+      def secret_strategy
+        ::Doorkeeper.configuration.token_secret_strategy
+      end
+
+      def fallback_secret_strategy
+        ::Doorkeeper.configuration.token_secret_fallback_strategy
       end
     end
 
     private
 
+    # Generates token value with UniqueToken class.
+    #
+    # @return [String] token value
+    #
     def generate_token
-      self.token = UniqueToken.generate
+      return nil unless self[:token].nil?
+
+      @raw_token = UniqueToken.generate
+      secret_strategy.store_secret(self, :token, @raw_token)
     end
   end
 end

data/lib/doorkeeper-sequel/mixins/access_token_mixin.rb

@@ -1,24 +1,32 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module AccessTokenMixin
     extend ActiveSupport::Concern
 
     include SequelCompat
     include Doorkeeper::OAuth::Helpers
-    include Doorkeeper::Models::Expirable
     include Doorkeeper::Models::Revocable
+    include Doorkeeper::Models::Expirable
+    include Doorkeeper::Models::Reusable
     include Doorkeeper::Models::Accessible
+    include Doorkeeper::Models::SecretStorable
     include Doorkeeper::Models::Scopes
+    include Doorkeeper::Models::ResourceOwnerable
 
     included do
       plugin :validation_helpers
       plugin :timestamps
 
-      many_to_one :application, class: 'Doorkeeper::Application'
+
+      many_to_one :application, class: "Doorkeeper::Application"
+      many_to_one :resource_owner, polymorphic: true
 
       attr_writer :use_refresh_token
 
-      set_allowed_columns :application_id, :resource_owner_id, :expires_in,
-                          :scopes, :use_refresh_token, :previous_refresh_token
+      set_allowed_columns :application_id, :resource_owner_id, :resource_owner_type,
+                                           :expires_in, :scopes, :use_refresh_token, 
+                                           :previous_refresh_token, :token, :refresh_token
 
       def before_validation
         if new?
@@ -44,11 +52,15 @@ module DoorkeeperSequel
 
     module ClassMethods
       def by_token(token)
-        first(token: token.to_s)
+        find_by_plaintext_token(:token, token)
+      end
+
+      def find_by(params)
+        first(params)
       end
 
       def by_refresh_token(refresh_token)
-        first(refresh_token: refresh_token.to_s)
+        find_by_plaintext_token(:refresh_token, refresh_token)
       end
 
       def revoke_all_for(application_id, resource_owner, clock = Time)
@@ -57,6 +69,10 @@ module DoorkeeperSequel
               revoked_at: nil)
           .update(revoked_at: clock.now.utc)
       end
+	  
+      def by_previous_refresh_token(previous_refresh_token)
+        where(refresh_token: previous_refresh_token).first
+      end
 
       def matching_token_for(application, resource_owner_or_id, scopes)
         resource_owner_id = if resource_owner_or_id.respond_to?(:to_key)
@@ -64,63 +80,127 @@ module DoorkeeperSequel
                             else
                               resource_owner_or_id
                             end
-        token = last_authorized_token_for(application.try(:id), resource_owner_id)
-        if token && scopes_match?(token.scopes, scopes, application.try(:scopes))
-          token
+        tokens = authorized_tokens_for(application.try(:id), resource_owner_id).all
+        tokens.detect do |token|
+          scopes_match?(token.scopes, scopes, application.try(:scopes))
         end
       end
 
+      def find_matching_token(relation, application, scopes)
+        return nil unless relation
+
+        matching_tokens = []
+
+        tokens = relation.select do |token|
+          scopes_match?(token.scopes, scopes, application.try(:scopes))
+        end
+
+        matching_tokens.concat(tokens)
+        matching_tokens.max_by(&:created_at)
+      end
+
       def scopes_match?(token_scopes, param_scopes, app_scopes)
-        (token_scopes.blank? && param_scopes.blank?) ||
-          Doorkeeper::OAuth::Helpers::ScopeChecker.match?(
-            token_scopes.to_s,
-            param_scopes,
-            app_scopes
+        return true if token_scopes.empty? && param_scopes.empty?
+
+        (token_scopes.sort == param_scopes.sort) &&
+          Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
+            scope_str: param_scopes.to_s,
+            server_scopes: Doorkeeper.configuration.scopes,
+            app_scopes: app_scopes
           )
       end
 
-      def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
+      def authorized_tokens_for(application_id, resource_owner)
+        by_resource_owner(resource_owner).where(application_id: application_id,
+              revoked_at: nil).order(Sequel.desc(:created_at))
+      end
+
+      def find_or_create_for(*args)
+	     attributes = if args.size > 1
+                         {
+                           application: args[0],
+                           resource_owner: args[1],
+                           scopes: args[2],
+                           expires_in: args[3],
+                           use_refresh_token: args[4],
+                         }
+                      else
+                         args.first
+                      end		
+		
+        application = attributes[:application]
+        resource_owner = attributes[:resource_owner]
+        scopes = attributes[:scopes]
+        expires_in = attributes[:expires_in]
+        use_refresh_token = attributes[:use_refresh_token]
+        
         if Doorkeeper.configuration.reuse_access_token
-          access_token = matching_token_for(application, resource_owner_id, scopes)
-          return access_token if access_token && !access_token.expired?
+          access_token = matching_token_for(application, resource_owner, scopes)
+          return access_token if access_token&.reusable?
         end
-
-        create!(
-          application_id: application.try(:id),
-          resource_owner_id: resource_owner_id,
-          scopes: scopes.to_s,
+        
+        create_for(
+          application: application,
+          resource_owner: resource_owner,
+          scopes: scopes,
           expires_in: expires_in,
-          use_refresh_token: use_refresh_token
+          use_refresh_token: use_refresh_token,
         )
       end
+	  
+      def create_for(application:, resource_owner:, scopes:, **token_attributes)
+        token_attributes[:application_id] = application&.id
+        token_attributes[:scopes] = scopes.to_s
+
+        if Doorkeeper.config.polymorphic_resource_owner?
+          token_attributes[:resource_owner] = resource_owner
+        else
+          token_attributes[:resource_owner_id] = resource_owner_id_for(resource_owner)
+        end
+
+        create!(token_attributes)
+      end
 
       def last_authorized_token_for(application_id, resource_owner_id)
-        where(application_id: application_id,
-              resource_owner_id: resource_owner_id,
-              revoked_at: nil)
-          .send(order_method, created_at_desc)
-          .first
+        authorized_tokens_for(application_id, resource_owner_id).first
+      end
+
+      def secret_strategy
+        ::Doorkeeper.configuration.token_secret_strategy
+      end
+
+      def fallback_secret_strategy
+        ::Doorkeeper.configuration.token_secret_fallback_strategy
+      end
+
+      def polymorphic_resource_owner?
+        columns.include?(:resource_owner_type)
       end
     end
 
     def token_type
-      'Bearer'
+      "Bearer"
     end
 
     def use_refresh_token?
+      @use_refresh_token ||= false
       !!@use_refresh_token
     end
 
     def as_json(_options = {})
       {
         resource_owner_id: resource_owner_id,
-        scopes: scopes,
-        expires_in_seconds: expires_in_seconds,
+        scope: scopes,
+        expires_in: expires_in_seconds,
         application: { uid: application.try(:uid) },
-        created_at: created_at.to_i
-      }
+        created_at: created_at.to_i,
+      }.tap do |json|
+        if Doorkeeper.configuration.polymorphic_resource_owner?
+          json[:resource_owner_type] = resource_owner_type
+        end
+      end
     end
-
+	
     # It indicates whether the tokens have the same credential
     def same_credential?(access_token)
       application_id == access_token.application_id &&
@@ -131,32 +211,64 @@ module DoorkeeperSequel
       accessible? && includes_scope?(*scopes)
     end
 
+    def plaintext_refresh_token
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :refresh_token)
+      else
+        @raw_refresh_token
+      end
+    end
+
+    def plaintext_token
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :token)
+      else
+        @raw_token
+      end
+    end
+	
+    # Revokes token with `:refresh_token` equal to `:previous_refresh_token`
+    # and clears `:previous_refresh_token` attribute.
+    #
+    def revoke_previous_refresh_token!
+      return unless self.class.refresh_token_revoked_on_use?
+
+      old_refresh_token&.revoke
+      update(previous_refresh_token: "")
+    end
+
     private
 
+    def old_refresh_token
+      @old_refresh_token ||= self.class.by_previous_refresh_token(previous_refresh_token)
+    end
+	
     def generate_refresh_token
-      self[:refresh_token] = UniqueToken.generate
+      @raw_refresh_token = UniqueToken.generate
+      secret_strategy.store_secret(self, :refresh_token, @raw_refresh_token)
     end
 
     def generate_token
       self[:created_at] ||= Time.now.utc
 
-      generator = token_generator
-      unless generator.respond_to?(:generate)
-        raise Doorkeeper::Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
-      end
-
-      self[:token] = generator.generate(
+      @raw_token = token_generator.generate(
         resource_owner_id: resource_owner_id,
         scopes: scopes,
         application: application,
         expires_in: expires_in,
         created_at: created_at
       )
+      secret_strategy.store_secret(self, :token, @raw_token)
+      @raw_token
     end
 
     def token_generator
       generator_name = Doorkeeper.configuration.access_token_generator
-      generator_name.constantize
+      generator = generator_name.constantize
+
+      return generator if generator.respond_to?(:generate)
+
+      raise Doorkeeper::Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
     rescue NameError
       raise Doorkeeper::Errors::TokenGeneratorNotFound, "#{generator_name} not found"
     end