doorkeeper 1.1.0 → 1.2.0

data/spec/requests/flows/implicit_grant_errors_spec.rb

@@ -14,17 +14,17 @@ feature 'Implicit Grant Flow Errors' do
 
   [
     [:client_id,     :invalid_client],
-    [:redirect_uri,  :invalid_redirect_uri],
+    [:redirect_uri,  :invalid_redirect_uri]
   ].each do |error|
     scenario "displays #{error.last.inspect} error for invalid #{error.first.inspect}" do
-      visit authorization_endpoint_url(:client => @client, error.first => "invalid", :response_type => "token")
-      i_should_not_see "Authorize"
+      visit authorization_endpoint_url(client: @client, error.first => 'invalid', response_type: 'token')
+      i_should_not_see 'Authorize'
       i_should_see_translated_error_message error.last
     end
 
     scenario "displays #{error.last.inspect} error when #{error.first.inspect} is missing" do
-      visit authorization_endpoint_url(:client => @client, error.first => "", :response_type => "token")
-      i_should_not_see "Authorize"
+      visit authorization_endpoint_url(client: @client, error.first => '', response_type: 'token')
+      i_should_not_see 'Authorize'
       i_should_see_translated_error_message error.last
     end
   end

data/spec/requests/flows/implicit_grant_spec.rb

@@ -9,8 +9,8 @@ feature 'Implicit Grant Flow' do
   end
 
   scenario 'resource owner authorizes the client' do
-    visit authorization_endpoint_url(:client => @client, :response_type => 'token')
-    click_on "Authorize"
+    visit authorization_endpoint_url(client: @client, response_type: 'token')
+    click_on 'Authorize'
 
     access_token_should_exist_for @client, @resource_owner
 

data/spec/requests/flows/password_spec.rb

@@ -12,11 +12,11 @@ feature 'Resource Owner Password Credentials Flow inproperly set up' do
   end
 
   context 'with valid user credentials' do
-    scenario "should issue new token" do
+    scenario 'should issue new token' do
       pending 'Check a way to supress warnings here (or handle config better)'
-      expect {
-        post password_token_endpoint_url(:client => @client, :resource_owner => @resource_owner)
-      }.to_not change { Doorkeeper::AccessToken.count }
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to_not change { Doorkeeper::AccessToken.count }
     end
   end
 end
@@ -29,30 +29,30 @@ feature 'Resource Owner Password Credentials Flow' do
   end
 
   context 'with valid user credentials' do
-    scenario "should issue new token" do
-      expect {
-        post password_token_endpoint_url(:client => @client, :resource_owner => @resource_owner)
-      }.to change { Doorkeeper::AccessToken.count }.by(1)
+    scenario 'should issue new token' do
+      expect do
+        post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
 
       token = Doorkeeper::AccessToken.first
 
       should_have_json 'access_token',  token.token
     end
 
-    scenario "should issue new token without client credentials" do
-      expect {
-        post password_token_endpoint_url(:resource_owner => @resource_owner)
-      }.to change { Doorkeeper::AccessToken.count }.by(1)
+    scenario 'should issue new token without client credentials' do
+      expect do
+        post password_token_endpoint_url(resource_owner: @resource_owner)
+      end.to change { Doorkeeper::AccessToken.count }.by(1)
 
       token = Doorkeeper::AccessToken.first
 
       should_have_json 'access_token',  token.token
     end
 
-    scenario "should issue a refresh token if enabled" do
+    scenario 'should issue a refresh token if enabled' do
       config_is_set(:refresh_token_enabled, true)
 
-      post password_token_endpoint_url(:client => @client, :resource_owner => @resource_owner)
+      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
 
       token = Doorkeeper::AccessToken.first
 
@@ -60,29 +60,29 @@ feature 'Resource Owner Password Credentials Flow' do
     end
   end
 
-  context "with invalid user credentials" do
-    scenario "should not issue new token with bad password" do
-      expect {
-        post password_token_endpoint_url( :client => @client,
-                                          :resource_owner_username => @resource_owner.name,
-                                          :resource_owner_password => 'wrongpassword')
-      }.to_not change { Doorkeeper::AccessToken.count }
+  context 'with invalid user credentials' do
+    scenario 'should not issue new token with bad password' do
+      expect do
+        post password_token_endpoint_url(client: @client,
+                                         resource_owner_username: @resource_owner.name,
+                                         resource_owner_password: 'wrongpassword')
+      end.to_not change { Doorkeeper::AccessToken.count }
     end
 
-    scenario "should not issue new token without credentials" do
-      expect {
-        post password_token_endpoint_url( :client => @client)
-      }.to_not change { Doorkeeper::AccessToken.count }
+    scenario 'should not issue new token without credentials' do
+      expect do
+        post password_token_endpoint_url(client: @client)
+      end.to_not change { Doorkeeper::AccessToken.count }
     end
   end
 
-  context "with invalid client credentials" do
-    scenario "should not issue new token with bad client credentials" do
-      expect {
-        post password_token_endpoint_url( :client_id => @client.uid,
-                                          :client_secret => "bad_secret",
-                                          :resource_owner => @resource_owner)
-      }.to_not change { Doorkeeper::AccessToken.count }
+  context 'with invalid client credentials' do
+    scenario 'should not issue new token with bad client credentials' do
+      expect do
+        post password_token_endpoint_url(client_id: @client.uid,
+                                         client_secret: 'bad_secret',
+                                         resource_owner: @resource_owner)
+      end.to_not change { Doorkeeper::AccessToken.count }
     end
   end
 end

data/spec/requests/flows/refresh_token_spec.rb

@@ -1,21 +1,21 @@
 require 'spec_helper_integration'
 
-feature "Refresh Token Flow" do
+feature 'Refresh Token Flow' do
   before do
-    Doorkeeper.configure {
+    Doorkeeper.configure do
       orm DOORKEEPER_ORM
       use_refresh_token
-    }
+    end
     client_exists
   end
 
-  context "issuing a refresh token" do
+  context 'issuing a refresh token' do
     before do
-      authorization_code_exists :application => @client
+      authorization_code_exists application: @client
     end
 
-    scenario "client gets the refresh token and refreshses it" do
-      post token_endpoint_url(:code => @authorization.token, :client => @client)
+    scenario 'client gets the refresh token and refreshses it' do
+      post token_endpoint_url(code: @authorization.token, client: @client)
 
       token = Doorkeeper::AccessToken.first
 
@@ -24,7 +24,7 @@ feature "Refresh Token Flow" do
 
       expect(@authorization.reload).to be_revoked
 
-      post refresh_token_endpoint_url(:client => @client, :refresh_token => token.refresh_token)
+      post refresh_token_endpoint_url(client: @client, refresh_token: token.refresh_token)
 
       new_token = Doorkeeper::AccessToken.last
       should_have_json 'access_token',  new_token.token
@@ -35,52 +35,52 @@ feature "Refresh Token Flow" do
     end
   end
 
-  context "refreshing the token" do
+  context 'refreshing the token' do
     before do
-      @token = FactoryGirl.create(:access_token, :application => @client, :resource_owner_id => 1, :use_refresh_token => true)
+      @token = FactoryGirl.create(:access_token, application: @client, resource_owner_id: 1, use_refresh_token: true)
     end
 
-    scenario "client request a token with refresh token" do
-      post refresh_token_endpoint_url(:client => @client, :refresh_token => @token.refresh_token)
+    scenario 'client request a token with refresh token' do
+      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
       expect(@token.reload).to be_revoked
     end
 
-    scenario "client request a token with expired access token" do
+    scenario 'client request a token with expired access token' do
       @token.update_column :expires_in, -100
-      post refresh_token_endpoint_url(:client => @client, :refresh_token => @token.refresh_token)
+      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
       expect(@token.reload).to be_revoked
     end
 
     # TODO: verify proper error code for this (previously was invalid_grant)
-    scenario "client gets an error for invalid refresh token" do
-      post refresh_token_endpoint_url(:client => @client, :refresh_token => "invalid")
+    scenario 'client gets an error for invalid refresh token' do
+      post refresh_token_endpoint_url(client: @client, refresh_token: 'invalid')
       should_not_have_json 'refresh_token'
       should_have_json 'error', 'invalid_request'
     end
 
     # TODO: verify proper error code for this (previously was invalid_grant)
-    scenario "client gets an error for revoked acccess token" do
+    scenario 'client gets an error for revoked acccess token' do
       @token.revoke
-      post refresh_token_endpoint_url(:client => @client, :refresh_token => @token.refresh_token)
+      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_not_have_json 'refresh_token'
       should_have_json 'error', 'invalid_request'
     end
   end
 
-  context "refreshing the token with multiple sessions (devices)" do
+  context 'refreshing the token with multiple sessions (devices)' do
     before do
       # enable password auth to simulate other devices
       config_is_set(:resource_owner_from_credentials) { User.authenticate! params[:username], params[:password] }
       create_resource_owner
-      @token = FactoryGirl.create(:access_token, :application => @client, :resource_owner_id => @resource_owner.id, :use_refresh_token => true)
+      @token = FactoryGirl.create(:access_token, application: @client, resource_owner_id: @resource_owner.id, use_refresh_token: true)
     end
 
-    scenario "client request a token after creating another token with the same user" do
+    scenario 'client request a token after creating another token with the same user' do
       @token.update_column :expires_in, -100
-      post password_token_endpoint_url(:client => @client, :resource_owner => @resource_owner)
-      post refresh_token_endpoint_url(:client => @client, :refresh_token => @token.refresh_token)
+      post password_token_endpoint_url(client: @client, resource_owner: @resource_owner)
+      post refresh_token_endpoint_url(client: @client, refresh_token: @token.refresh_token)
       should_have_json 'refresh_token', Doorkeeper::AccessToken.last.refresh_token
       expect(@token.reload).to be_revoked
     end

data/spec/requests/flows/revoke_token_spec.rb

@@ -0,0 +1,165 @@
+require 'spec_helper_integration'
+
+feature 'Revoke Token Flow' do
+
+  before do
+    Doorkeeper.configure { orm DOORKEEPER_ORM }
+  end
+
+  context 'with default parameters' do
+
+    let(:client_application) { FactoryGirl.create :application }
+    let(:resource_owner) { User.create!(name: 'John', password: 'sekret') }
+    let(:authorization_access_token) do
+      FactoryGirl.create(:access_token,
+                         application: client_application,
+                         resource_owner_id: resource_owner.id,
+                         use_refresh_token: true)
+    end
+
+    let(:headers) { { 'HTTP_AUTHORIZATION' => "Bearer #{authorization_access_token.token}" } }
+
+    context 'With invalid token to revoke' do
+
+      scenario 'client wants to revoke the given access token' do
+
+        post revocation_token_endpoint_url, { token: 'I_AM_AN_INVALIDE_TOKEN' }, headers
+
+        authorization_access_token.reload
+        # The authorization server responds with HTTP status code 200 if the token
+        # has been revoked successfully or if the client submitted an invalid token.
+        expect(response).to be_success
+        expect(authorization_access_token).to_not be_revoked
+      end
+    end
+
+    context 'The access token to revoke is the same than the authorization access token' do
+
+      let(:token_to_revoke) { authorization_access_token }
+
+      scenario 'client wants to revoke the given access token' do
+
+        post revocation_token_endpoint_url, { token: token_to_revoke.token }, headers
+
+        token_to_revoke.reload
+        authorization_access_token.reload
+
+        expect(response).to be_success
+        expect(token_to_revoke.revoked?).to be_true
+        expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_true
+
+      end
+
+      scenario 'client wants to revoke the given access token using the POST query string' do
+
+        url_with_query_string = revocation_token_endpoint_url + '?' + Rack::Utils.build_query(token: token_to_revoke.token)
+        post url_with_query_string, {}, headers
+
+        token_to_revoke.reload
+        authorization_access_token.reload
+
+        expect(response).to be_success
+        expect(token_to_revoke.revoked?).to be_false
+        expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_false
+        expect(authorization_access_token.revoked?).to be_false
+
+      end
+
+    end
+
+    context 'The access token to revoke app and owners are the same than the authorization access token' do
+
+      let(:token_to_revoke) do
+        FactoryGirl.create(:access_token,
+                           application: client_application,
+                           resource_owner_id: resource_owner.id,
+                           use_refresh_token: true)
+      end
+
+      scenario 'client wants to revoke the given access token' do
+
+        post revocation_token_endpoint_url, { token: token_to_revoke.token }, headers
+
+        token_to_revoke.reload
+        authorization_access_token.reload
+
+        expect(response).to be_success
+        expect(token_to_revoke.revoked?).to be_true
+        expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_true
+        expect(authorization_access_token.revoked?).to be_false
+
+      end
+    end
+
+    context 'The access token to revoke authorization owner is the same than the authorization access token' do
+
+      let(:other_client_application) { FactoryGirl.create :application }
+      let(:token_to_revoke) do
+        FactoryGirl.create(:access_token,
+                           application: other_client_application,
+                           resource_owner_id: resource_owner.id,
+                           use_refresh_token: true)
+      end
+
+      scenario 'client wants to revoke the given access token' do
+
+        post revocation_token_endpoint_url, { token: token_to_revoke.token }, headers
+
+        token_to_revoke.reload
+        authorization_access_token.reload
+
+        expect(response).to be_success
+        expect(token_to_revoke.revoked?).to be_false
+        expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_false
+        expect(authorization_access_token.revoked?).to be_false
+
+      end
+    end
+    context 'The access token to revoke app is the same than the authorization access token' do
+
+      let(:other_resource_owner) { User.create!(name: 'Matheo', password: 'pareto') }
+      let(:token_to_revoke) do
+        FactoryGirl.create(:access_token,
+                           application: client_application,
+                           resource_owner_id: other_resource_owner.id,
+                           use_refresh_token: true)
+      end
+
+      scenario 'client wants to revoke the given access token' do
+
+        post revocation_token_endpoint_url, { token: token_to_revoke.token }, headers
+
+        token_to_revoke.reload
+        authorization_access_token.reload
+
+        expect(response).to be_success
+        expect(token_to_revoke.revoked?).to be_false
+        expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_false
+        expect(authorization_access_token.revoked?).to be_false
+
+      end
+    end
+
+    context 'With valid refresh token to revoke' do
+
+      let(:token_to_revoke) do
+        FactoryGirl.create(:access_token,
+                           application: client_application,
+                           resource_owner_id: resource_owner.id,
+                           use_refresh_token: true)
+      end
+
+      scenario 'client wants to revoke the given refresh token' do
+
+        post revocation_token_endpoint_url, { token: token_to_revoke.refresh_token, token_type_hint: 'refresh_token' }, headers
+        authorization_access_token.reload
+        token_to_revoke.reload
+
+        expect(response).to be_success
+        expect(Doorkeeper::AccessToken.by_refresh_token(token_to_revoke.refresh_token).revoked?).to be_true
+        expect(authorization_access_token).to_not be_revoked
+
+      end
+    end
+  end
+end

data/spec/requests/flows/skip_authorization_spec.rb

@@ -15,25 +15,25 @@ feature 'Skip authorization form' do
     end
 
     scenario 'skips the authorization and return a new grant code' do
-      client_is_authorized(@client, @resource_owner, :scopes => "public")
-      visit authorization_endpoint_url(:client => @client)
+      client_is_authorized(@client, @resource_owner, scopes: 'public')
+      visit authorization_endpoint_url(client: @client)
 
-      i_should_not_see "Authorize"
+      i_should_not_see 'Authorize'
       client_should_be_authorized @client
       i_should_be_on_client_callback @client
-      url_should_have_param "code", Doorkeeper::AccessGrant.first.token
+      url_should_have_param 'code', Doorkeeper::AccessGrant.first.token
     end
 
     scenario 'does not skip authorization when scopes differ' do
-      client_is_authorized(@client, @resource_owner, :scopes => "public write")
-      visit authorization_endpoint_url(:client => @client, :scope => "public")
-      i_should_see "Authorize"
+      client_is_authorized(@client, @resource_owner, scopes: 'public write')
+      visit authorization_endpoint_url(client: @client, scope: 'public')
+      i_should_see 'Authorize'
     end
 
     scenario 'creates grant with new scope when scopes differ' do
-      client_is_authorized(@client, @resource_owner, :scopes => "public write")
-      visit authorization_endpoint_url(:client => @client, :scope => "public")
-      click_on "Authorize"
+      client_is_authorized(@client, @resource_owner, scopes: 'public write')
+      visit authorization_endpoint_url(client: @client, scope: 'public')
+      click_on 'Authorize'
       access_grant_should_have_scopes :public
     end
   end

data/spec/requests/protected_resources/metal_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper_integration'
 feature 'ActionController::Metal API' do
   background do
     @client   = FactoryGirl.create(:application)
-    @resource = User.create!(:name => "Joe", :password => "sekret")
+    @resource = User.create!(name: 'Joe', password: 'sekret')
     @token    = client_is_authorized(@client, @resource)
   end