doorkeeper-sequel 2.0.0 → 2.1.0

data/lib/doorkeeper-sequel/generators/concerns/migration_actions.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module MigrationActions
     extend ::ActiveSupport::Concern
@@ -9,7 +11,7 @@ module DoorkeeperSequel
     end
 
     def migration_template
-      File.expand_path('../templates/migration.rb', __FILE__)
+      File.expand_path("templates/migration.rb", __dir__)
     end
 
     private
@@ -19,20 +21,20 @@ module DoorkeeperSequel
     end
 
     def new_migration_number
-      current_number = current_migration_number('db/migrate')
+      current_number = current_migration_number("db/migrate")
 
       # possible numeric migration
-      if current_number && current_number.start_with?('0')
+      if current_number&.start_with?("0")
         # generate the same name as used by the developer
-        "%.#{current_number.length}d" % (current_number.to_i + 1)
+        format("%.#{current_number.length}d", (current_number.to_i + 1))
       else
-        Time.now.utc.strftime('%Y%m%d%H%M%S')
+        Time.now.utc.strftime("%Y%m%d%H%M%S")
       end
     end
 
     def current_migration_number(dirname)
       migration_lookup_at(dirname).collect do |file|
-        File.basename(file).split('_').first
+        File.basename(file).split("_").first
       end.max
     end
 

data/lib/doorkeeper-sequel/generators/confidential_applications_generator.rb

@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class ConfidentialApplicationsGenerator < ::Thor::Group
     include ::Thor::Actions
     include MigrationActions
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path("templates", __dir__)
 
-    desc 'Add confidential column to Doorkeeper applications.'
+    desc "Add confidential column to Doorkeeper applications."
 
     def install
-      create_migration 'add_confidential_to_application_migration'
+      create_migration "add_confidential_to_application_migration"
     end
   end
 end

data/lib/doorkeeper-sequel/generators/migration_generator.rb

@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class MigrationGenerator < ::Thor::Group
     include ::Thor::Actions
     include MigrationActions
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path("templates", __dir__)
 
-    desc 'Installs Doorkeeper Sequel migration file.'
+    desc "Installs Doorkeeper Sequel migration file."
 
     def install
-      create_migration 'create_doorkeeper_tables.rb'
+      create_migration "create_doorkeeper_tables.rb"
     end
   end
 end

data/lib/doorkeeper-sequel/generators/pkce_generator.rb

@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class PkceGenerator < ::Thor::Group
     include ::Thor::Actions
     include MigrationActions
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path("templates", __dir__)
 
-    desc 'Provide support for PKCE.'
+    desc "Provide support for PKCE."
 
     def install
-      create_migration 'enable_pkce_migration.rb.erb'
+      create_migration "enable_pkce_migration.rb.erb"
     end
   end
 end

data/lib/doorkeeper-sequel/generators/previous_refresh_token_generator.rb

@@ -1,14 +1,16 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   class PreviousRefreshTokenGenerator < ::Thor::Group
     include ::Thor::Actions
     include MigrationActions
 
-    source_root File.expand_path('../templates', __FILE__)
+    source_root File.expand_path("templates", __dir__)
 
-    desc 'Support revoke refresh token on access token use'
+    desc "Support revoke refresh token on access token use"
 
     def install
-      create_migration 'add_previous_refresh_token_to_access_tokens.rb'
+      create_migration "add_previous_refresh_token_to_access_tokens.rb"
     end
   end
 end

data/lib/doorkeeper-sequel/generators/templates/add_confidential_to_application_migration.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     alter_table(:oauth_applications) do

data/lib/doorkeeper-sequel/generators/templates/add_owner_to_application.rb

@@ -1,9 +1,11 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     alter_table(:oauth_applications) do
       add_column :owner_id, Integer, null: true
       add_column :owner_type, String, null: true
-      add_index [:owner_id, :owner_type]
+      add_index %i[owner_id owner_type]
     end
   end
 end

data/lib/doorkeeper-sequel/generators/templates/add_previous_refresh_token_to_access_tokens.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     alter_table(:oauth_access_tokens) do
-      add_column :previous_refresh_token, String, default: '', null: false
+      add_column :previous_refresh_token, String, default: "", null: false
     end
   end
 end

data/lib/doorkeeper-sequel/generators/templates/create_doorkeeper_tables.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     create_table :oauth_applications do
@@ -7,7 +9,7 @@ Sequel.migration do
       column :uid, String, size: 255, null: false, index: { unique: true }
       column :secret, String, size: 255, null: false
 
-      column :scopes, String, size: 255, null: false, default: ''
+      column :scopes, String, size: 255, null: false, default: ""
       column :redirect_uri, String
       column :confidential, TrueClass, null: false, default: true
 
@@ -50,7 +52,7 @@ Sequel.migration do
       # previous tokens are revoked as soon as a new access token is created.
       # Comment out this line if you'd rather have refresh tokens
       # instantly revoked.
-      column :previous_refresh_token, String, size: 255, null: false, default: ''
+      column :previous_refresh_token, String, size: 255, null: false, default: ""
       column :expires_in, Integer
       column :revoked_at, DateTime
       column :created_at, DateTime, null: false

data/lib/doorkeeper-sequel/generators/templates/enable_pkce_migration.rb

@@ -1,7 +1,9 @@
+# frozen_string_literal: true
+
 Sequel.migration do
   change do
     alter_table(:oauth_access_grants) do
-      add_column :code_challenge, Integer, null: true
+      add_column :code_challenge, String, null: true
       add_column :code_challenge_method, String, null: true
     end
   end

data/lib/doorkeeper-sequel/mixins/access_grant_mixin.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module AccessGrantMixin
     extend ActiveSupport::Concern
@@ -7,16 +9,17 @@ module DoorkeeperSequel
     include Doorkeeper::Models::Expirable
     include Doorkeeper::Models::Revocable
     include Doorkeeper::Models::Accessible
+    include Doorkeeper::Models::SecretStorable
     include Doorkeeper::Models::Scopes
 
     included do
       plugin :validation_helpers
       plugin :timestamps
-
-      many_to_one :application, class: 'Doorkeeper::Application'
+      many_to_one :application, class: "Doorkeeper::Application"
 
       set_allowed_columns :resource_owner_id, :application_id,
-                          :expires_in, :redirect_uri, :scopes, :code_challenge, :code_challenge_method
+                          :expires_in, :redirect_uri, :scopes, :code_challenge, :code_challenge_method,
+                          :token
 
       def before_validation
         generate_token if new?
@@ -25,23 +28,19 @@ module DoorkeeperSequel
 
       def validate
         super
-        validates_presence [:resource_owner_id, :application_id,
-                            :token, :expires_in, :redirect_uri]
+        validates_presence %i[resource_owner_id application_id
+                              token expires_in redirect_uri]
         validates_unique [:token]
       end
-
-      def uses_pkce?
-        pkce_supported? && code_challenge.present?
-      end
-
-      def pkce_supported?
-        respond_to? :code_challenge
-      end
     end
 
     module ClassMethods
       def by_token(token)
-        first(token: token.to_s)
+        find_by_plaintext_token(:token, token)
+      end
+
+      def find_by(params)
+        first(params)
       end
 
       def revoke_all_for(application_id, resource_owner, clock = Time)
@@ -53,18 +52,33 @@ module DoorkeeperSequel
 
       def generate_code_challenge(code_verifier)
         padded_result = Base64.urlsafe_encode64(Digest::SHA256.digest(code_verifier))
-        padded_result.split('=')[0] # Remove any trailing '='
+        padded_result.split("=")[0] # Remove any trailing '='
       end
 
       def pkce_supported?
         new.pkce_supported?
       end
+
+      def secret_strategy
+        ::Doorkeeper.configuration.token_secret_strategy
+      end
+
+      def fallback_secret_strategy
+        ::Doorkeeper.configuration.token_secret_fallback_strategy
+      end
     end
 
     private
 
+    # Generates token value with UniqueToken class.
+    #
+    # @return [String] token value
+    #
     def generate_token
-      self.token = UniqueToken.generate
+      return nil unless self[:token].nil?
+
+      @raw_token = UniqueToken.generate
+      secret_strategy.store_secret(self, :token, @raw_token)
     end
   end
 end

data/lib/doorkeeper-sequel/mixins/access_token_mixin.rb

@@ -1,24 +1,29 @@
+# frozen_string_literal: true
+
 module DoorkeeperSequel
   module AccessTokenMixin
     extend ActiveSupport::Concern
 
     include SequelCompat
     include Doorkeeper::OAuth::Helpers
-    include Doorkeeper::Models::Expirable
     include Doorkeeper::Models::Revocable
+    include Doorkeeper::Models::Expirable
+    include Doorkeeper::Models::Reusable
     include Doorkeeper::Models::Accessible
+    include Doorkeeper::Models::SecretStorable
     include Doorkeeper::Models::Scopes
 
     included do
       plugin :validation_helpers
       plugin :timestamps
 
-      many_to_one :application, class: 'Doorkeeper::Application'
+      many_to_one :application, class: "Doorkeeper::Application"
 
       attr_writer :use_refresh_token
 
       set_allowed_columns :application_id, :resource_owner_id, :expires_in,
-                          :scopes, :use_refresh_token, :previous_refresh_token
+                          :scopes, :use_refresh_token, :previous_refresh_token,
+                          :token, :refresh_token
 
       def before_validation
         if new?
@@ -44,11 +49,15 @@ module DoorkeeperSequel
 
     module ClassMethods
       def by_token(token)
-        first(token: token.to_s)
+        find_by_plaintext_token(:token, token)
+      end
+
+      def find_by(params)
+        first(params)
       end
 
       def by_refresh_token(refresh_token)
-        first(refresh_token: refresh_token.to_s)
+        find_by_plaintext_token(:refresh_token, refresh_token)
       end
 
       def revoke_all_for(application_id, resource_owner, clock = Time)
@@ -64,33 +73,46 @@ module DoorkeeperSequel
                             else
                               resource_owner_or_id
                             end
-        tokens = authorized_tokens_for(application.try(:id), resource_owner_id)
+        tokens = authorized_tokens_for(application.try(:id), resource_owner_id).all
         tokens.detect do |token|
           scopes_match?(token.scopes, scopes, application.try(:scopes))
         end
       end
 
+      def find_matching_token(relation, application, scopes)
+        return nil unless relation
+
+        matching_tokens = []
+
+        tokens = relation.select do |token|
+          scopes_match?(token.scopes, scopes, application.try(:scopes))
+        end
+
+        matching_tokens.concat(tokens)
+        matching_tokens.max_by(&:created_at)
+      end
+
       def scopes_match?(token_scopes, param_scopes, app_scopes)
         return true if token_scopes.empty? && param_scopes.empty?
+
         (token_scopes.sort == param_scopes.sort) &&
           Doorkeeper::OAuth::Helpers::ScopeChecker.valid?(
-            param_scopes.to_s,
-            Doorkeeper.configuration.scopes,
-            app_scopes
+            scope_str: param_scopes.to_s,
+            server_scopes: Doorkeeper.configuration.scopes,
+            app_scopes: app_scopes
           )
       end
 
       def authorized_tokens_for(application_id, resource_owner_id)
-        ordered_by(:created_at, :desc).
-          where(application_id: application_id,
-                resource_owner_id: resource_owner_id,
-                revoked_at: nil)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner_id,
+              revoked_at: nil).order(Sequel.desc(:created_at))
       end
 
       def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
         if Doorkeeper.configuration.reuse_access_token
           access_token = matching_token_for(application, resource_owner_id, scopes)
-          return access_token if access_token && !access_token.expired?
+          return access_token if access_token&.reusable?
         end
 
         create!(
@@ -105,13 +127,22 @@ module DoorkeeperSequel
       def last_authorized_token_for(application_id, resource_owner_id)
         authorized_tokens_for(application_id, resource_owner_id).first
       end
+
+      def secret_strategy
+        ::Doorkeeper.configuration.token_secret_strategy
+      end
+
+      def fallback_secret_strategy
+        ::Doorkeeper.configuration.token_secret_fallback_strategy
+      end
     end
 
     def token_type
-      'Bearer'
+      "Bearer"
     end
 
     def use_refresh_token?
+      @use_refresh_token ||= false
       !!@use_refresh_token
     end
 
@@ -121,7 +152,7 @@ module DoorkeeperSequel
         scope: scopes,
         expires_in: expires_in_seconds,
         application: { uid: application.try(:uid) },
-        created_at: created_at.to_i
+        created_at: created_at.to_i,
       }
     end
 
@@ -135,32 +166,50 @@ module DoorkeeperSequel
       accessible? && includes_scope?(*scopes)
     end
 
+    def plaintext_refresh_token
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :refresh_token)
+      else
+        @raw_refresh_token
+      end
+    end
+
+    def plaintext_token
+      if secret_strategy.allows_restoring_secrets?
+        secret_strategy.restore_secret(self, :token)
+      else
+        @raw_token
+      end
+    end
+
     private
 
     def generate_refresh_token
-      self[:refresh_token] = UniqueToken.generate
+      @raw_refresh_token = UniqueToken.generate
+      secret_strategy.store_secret(self, :refresh_token, @raw_refresh_token)
     end
 
     def generate_token
       self[:created_at] ||= Time.now.utc
 
-      generator = token_generator
-      unless generator.respond_to?(:generate)
-        raise Doorkeeper::Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
-      end
-
-      self[:token] = generator.generate(
+      @raw_token = token_generator.generate(
         resource_owner_id: resource_owner_id,
         scopes: scopes,
         application: application,
         expires_in: expires_in,
         created_at: created_at
       )
+      secret_strategy.store_secret(self, :token, @raw_token)
+      @raw_token
     end
 
     def token_generator
       generator_name = Doorkeeper.configuration.access_token_generator
-      generator_name.constantize
+      generator = generator_name.constantize
+
+      return generator if generator.respond_to?(:generate)
+
+      raise Doorkeeper::Errors::UnableToGenerateToken, "#{generator} does not respond to `.generate`."
     rescue NameError
       raise Doorkeeper::Errors::TokenGeneratorNotFound, "#{generator_name} not found"
     end