doorkeeper 1.3.1 → 1.4.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of doorkeeper might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/.hound.yml +4 -1
- data/CHANGELOG.md +18 -0
- data/README.md +2 -1
- data/app/controllers/doorkeeper/application_metal_controller.rb +16 -0
- data/app/controllers/doorkeeper/applications_controller.rb +0 -6
- data/app/controllers/doorkeeper/authorizations_controller.rb +14 -15
- data/app/controllers/doorkeeper/authorized_applications_controller.rb +10 -8
- data/app/controllers/doorkeeper/token_info_controller.rb +1 -1
- data/app/controllers/doorkeeper/tokens_controller.rb +3 -11
- data/app/validators/redirect_uri_validator.rb +0 -1
- data/config/locales/en.yml +0 -3
- data/doorkeeper.gemspec +1 -0
- data/lib/doorkeeper.rb +1 -0
- data/lib/doorkeeper/config.rb +5 -5
- data/lib/doorkeeper/doorkeeper_for.rb +7 -17
- data/lib/doorkeeper/helpers/controller.rb +11 -8
- data/lib/doorkeeper/helpers/filter.rb +35 -13
- data/lib/doorkeeper/models/access_grant.rb +5 -5
- data/lib/doorkeeper/models/access_token.rb +9 -5
- data/lib/doorkeeper/models/active_record/access_grant.rb +1 -1
- data/lib/doorkeeper/models/active_record/access_token.rb +1 -1
- data/lib/doorkeeper/models/active_record/application.rb +3 -3
- data/lib/doorkeeper/models/application.rb +1 -1
- data/lib/doorkeeper/models/mongo_mapper/access_grant.rb +0 -3
- data/lib/doorkeeper/models/mongo_mapper/access_token.rb +0 -3
- data/lib/doorkeeper/models/mongoid2/access_grant.rb +1 -3
- data/lib/doorkeeper/models/mongoid2/access_token.rb +1 -3
- data/lib/doorkeeper/models/mongoid3_4/access_grant.rb +2 -4
- data/lib/doorkeeper/models/mongoid3_4/access_token.rb +2 -4
- data/lib/doorkeeper/models/revocable.rb +1 -1
- data/lib/doorkeeper/models/scopes.rb +6 -2
- data/lib/doorkeeper/oauth/authorization/code.rb +4 -0
- data/lib/doorkeeper/oauth/authorization/token.rb +8 -0
- data/lib/doorkeeper/oauth/authorization_code_request.rb +2 -2
- data/lib/doorkeeper/oauth/client.rb +2 -2
- data/lib/doorkeeper/oauth/client_credentials/creator.rb +1 -1
- data/lib/doorkeeper/oauth/client_credentials/validation.rb +2 -2
- data/lib/doorkeeper/oauth/client_credentials_request.rb +3 -12
- data/lib/doorkeeper/oauth/code_response.rb +3 -4
- data/lib/doorkeeper/oauth/error_response.rb +3 -3
- data/lib/doorkeeper/oauth/forbidden_token_response.rb +29 -0
- data/lib/doorkeeper/oauth/helpers/scope_checker.rb +1 -1
- data/lib/doorkeeper/oauth/password_access_token_request.rb +5 -5
- data/lib/doorkeeper/oauth/pre_authorization.rb +2 -2
- data/lib/doorkeeper/oauth/refresh_token_request.rb +6 -6
- data/lib/doorkeeper/oauth/request_concern.rb +2 -2
- data/lib/doorkeeper/oauth/token.rb +1 -1
- data/lib/doorkeeper/server.rb +2 -2
- data/lib/doorkeeper/version.rb +1 -1
- data/spec/controllers/authorizations_controller_spec.rb +46 -0
- data/spec/controllers/protected_resources_controller_spec.rb +13 -6
- data/spec/lib/models/revocable_spec.rb +1 -1
- data/spec/lib/models/scopes_spec.rb +11 -0
- data/spec/lib/oauth/authorization/uri_builder_spec.rb +5 -0
- data/spec/lib/oauth/forbidden_token_response_spec.rb +23 -0
- data/spec/models/doorkeeper/access_token_spec.rb +30 -0
- data/spec/requests/flows/refresh_token_spec.rb +2 -2
- data/spec/requests/protected_resources/private_api_spec.rb +5 -5
- data/spec/support/shared/controllers_shared_context.rb +2 -2
- data/spec/validators/redirect_uri_validator_spec.rb +1 -2
- metadata +19 -4
- data/lib/doorkeeper/models/mongo_mapper/revocable.rb +0 -15
- data/lib/doorkeeper/models/mongoid/revocable.rb +0 -15
@@ -1,10 +1,10 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
class AccessGrant
|
3
|
-
include
|
4
|
-
include
|
5
|
-
include
|
6
|
-
include
|
7
|
-
include
|
3
|
+
include OAuth::Helpers
|
4
|
+
include Models::Expirable
|
5
|
+
include Models::Revocable
|
6
|
+
include Models::Accessible
|
7
|
+
include Models::Scopes
|
8
8
|
|
9
9
|
belongs_to :application, class_name: 'Doorkeeper::Application', inverse_of: :access_grants
|
10
10
|
|
@@ -1,10 +1,10 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
class AccessToken
|
3
|
-
include
|
4
|
-
include
|
5
|
-
include
|
6
|
-
include
|
7
|
-
include
|
3
|
+
include OAuth::Helpers
|
4
|
+
include Models::Expirable
|
5
|
+
include Models::Revocable
|
6
|
+
include Models::Accessible
|
7
|
+
include Models::Scopes
|
8
8
|
|
9
9
|
belongs_to :application,
|
10
10
|
class_name: 'Doorkeeper::Application',
|
@@ -89,6 +89,10 @@ module Doorkeeper
|
|
89
89
|
resource_owner_id == access_token.resource_owner_id
|
90
90
|
end
|
91
91
|
|
92
|
+
def acceptable?(scopes)
|
93
|
+
accessible? && includes_scope?(scopes)
|
94
|
+
end
|
95
|
+
|
92
96
|
private
|
93
97
|
|
94
98
|
def generate_refresh_token
|
@@ -4,6 +4,6 @@ module Doorkeeper
|
|
4
4
|
establish_connection Doorkeeper.configuration.active_record_options[:establish_connection]
|
5
5
|
end
|
6
6
|
|
7
|
-
self.table_name = "#{
|
7
|
+
self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}".to_sym
|
8
8
|
end
|
9
9
|
end
|
@@ -4,7 +4,7 @@ module Doorkeeper
|
|
4
4
|
establish_connection Doorkeeper.configuration.active_record_options[:establish_connection]
|
5
5
|
end
|
6
6
|
|
7
|
-
self.table_name = "#{
|
7
|
+
self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}".to_sym
|
8
8
|
|
9
9
|
def self.delete_all_for(application_id, resource_owner)
|
10
10
|
where(application_id: application_id,
|
@@ -4,7 +4,7 @@ module Doorkeeper
|
|
4
4
|
establish_connection Doorkeeper.configuration.active_record_options[:establish_connection]
|
5
5
|
end
|
6
6
|
|
7
|
-
self.table_name = "#{
|
7
|
+
self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}".to_sym
|
8
8
|
|
9
9
|
if ActiveRecord::VERSION::MAJOR >= 4
|
10
10
|
has_many :authorized_tokens, -> { where(revoked_at: nil) }, class_name: 'AccessToken'
|
@@ -14,12 +14,12 @@ module Doorkeeper
|
|
14
14
|
has_many :authorized_applications, through: :authorized_tokens, source: :application
|
15
15
|
|
16
16
|
def self.column_names_with_table
|
17
|
-
self.column_names.map { |c| "#{
|
17
|
+
self.column_names.map { |c| "#{table_name}.#{c}" }
|
18
18
|
end
|
19
19
|
|
20
20
|
def self.authorized_for(resource_owner)
|
21
21
|
joins(:authorized_applications).
|
22
|
-
where(
|
22
|
+
where(AccessToken.table_name => { resource_owner_id: resource_owner.id, revoked_at: nil }).
|
23
23
|
group(column_names_with_table.join(','))
|
24
24
|
end
|
25
25
|
end
|
@@ -1,6 +1,6 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
class Application
|
3
|
-
include
|
3
|
+
include OAuth::Helpers
|
4
4
|
|
5
5
|
has_many :access_grants, dependent: :destroy, class_name: 'Doorkeeper::AccessGrant'
|
6
6
|
has_many :access_tokens, dependent: :destroy, class_name: 'Doorkeeper::AccessToken'
|
@@ -1,12 +1,10 @@
|
|
1
|
-
require 'doorkeeper/models/mongoid/revocable'
|
2
1
|
require 'doorkeeper/models/mongoid/scopes'
|
3
2
|
|
4
3
|
module Doorkeeper
|
5
4
|
class AccessGrant
|
6
5
|
include Mongoid::Document
|
7
6
|
include Mongoid::Timestamps
|
8
|
-
include
|
9
|
-
include Doorkeeper::Models::Mongoid::Scopes
|
7
|
+
include Models::Mongoid::Scopes
|
10
8
|
|
11
9
|
self.store_in :oauth_access_grants
|
12
10
|
|
@@ -1,12 +1,10 @@
|
|
1
|
-
require 'doorkeeper/models/mongoid/revocable'
|
2
1
|
require 'doorkeeper/models/mongoid/scopes'
|
3
2
|
|
4
3
|
module Doorkeeper
|
5
4
|
class AccessToken
|
6
5
|
include Mongoid::Document
|
7
6
|
include Mongoid::Timestamps
|
8
|
-
include
|
9
|
-
include Doorkeeper::Models::Mongoid::Scopes
|
7
|
+
include Models::Mongoid::Scopes
|
10
8
|
|
11
9
|
self.store_in :oauth_access_tokens
|
12
10
|
|
@@ -1,4 +1,3 @@
|
|
1
|
-
require 'doorkeeper/models/mongoid/revocable'
|
2
1
|
require 'doorkeeper/models/mongoid/scopes'
|
3
2
|
require 'doorkeeper/models/mongoid/version'
|
4
3
|
|
@@ -6,9 +5,8 @@ module Doorkeeper
|
|
6
5
|
class AccessGrant
|
7
6
|
include Mongoid::Document
|
8
7
|
include Mongoid::Timestamps
|
9
|
-
include
|
10
|
-
|
11
|
-
extend Doorkeeper::Models::Mongoid::Version
|
8
|
+
include Models::Mongoid::Scopes
|
9
|
+
extend Models::Mongoid::Version
|
12
10
|
|
13
11
|
self.store_in collection: :oauth_access_grants
|
14
12
|
|
@@ -1,4 +1,3 @@
|
|
1
|
-
require 'doorkeeper/models/mongoid/revocable'
|
2
1
|
require 'doorkeeper/models/mongoid/scopes'
|
3
2
|
require 'doorkeeper/models/mongoid/version'
|
4
3
|
|
@@ -6,9 +5,8 @@ module Doorkeeper
|
|
6
5
|
class AccessToken
|
7
6
|
include Mongoid::Document
|
8
7
|
include Mongoid::Timestamps
|
9
|
-
include
|
10
|
-
|
11
|
-
extend Doorkeeper::Models::Mongoid::Version
|
8
|
+
include Models::Mongoid::Scopes
|
9
|
+
extend Models::Mongoid::Version
|
12
10
|
|
13
11
|
self.store_in collection: :oauth_access_tokens
|
14
12
|
|
@@ -4,11 +4,15 @@ module Doorkeeper
|
|
4
4
|
def self.included(base)
|
5
5
|
base.class_eval do
|
6
6
|
define_method :scopes do
|
7
|
-
|
7
|
+
OAuth::Scopes.from_string(self[:scopes])
|
8
8
|
end
|
9
9
|
|
10
10
|
define_method :scopes_string do
|
11
|
-
|
11
|
+
OAuth::Scopes.from_string(self[:scopes]).to_s
|
12
|
+
end
|
13
|
+
|
14
|
+
define_method :includes_scope? do |required_scopes|
|
15
|
+
required_scopes.blank? || required_scopes.any? { |s| scopes.exists?(s) }
|
12
16
|
end
|
13
17
|
end
|
14
18
|
end
|
@@ -1,8 +1,8 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
module OAuth
|
3
3
|
class AuthorizationCodeRequest
|
4
|
-
include
|
5
|
-
include
|
4
|
+
include Validations
|
5
|
+
include OAuth::RequestConcern
|
6
6
|
|
7
7
|
validate :attributes, error: :invalid_request
|
8
8
|
validate :client, error: :invalid_client
|
@@ -4,13 +4,13 @@ require 'doorkeeper/oauth/client/credentials'
|
|
4
4
|
module Doorkeeper
|
5
5
|
module OAuth
|
6
6
|
class Client
|
7
|
-
def self.find(uid, method =
|
7
|
+
def self.find(uid, method = Application.method(:by_uid))
|
8
8
|
if application = method.call(uid)
|
9
9
|
new(application)
|
10
10
|
end
|
11
11
|
end
|
12
12
|
|
13
|
-
def self.authenticate(credentials, method =
|
13
|
+
def self.authenticate(credentials, method = Application.method(:authenticate))
|
14
14
|
return false if credentials.blank?
|
15
15
|
if application = method.call(credentials.uid, credentials.secret)
|
16
16
|
new(application)
|
@@ -6,8 +6,8 @@ module Doorkeeper
|
|
6
6
|
module OAuth
|
7
7
|
class ClientCredentialsRequest
|
8
8
|
class Validation
|
9
|
-
include
|
10
|
-
include
|
9
|
+
include Validations
|
10
|
+
include OAuth::Helpers
|
11
11
|
|
12
12
|
validate :client, error: :invalid_client
|
13
13
|
validate :scopes, error: :invalid_scope
|
@@ -5,10 +5,10 @@ require 'doorkeeper/oauth/client_credentials/validation'
|
|
5
5
|
module Doorkeeper
|
6
6
|
module OAuth
|
7
7
|
class ClientCredentialsRequest
|
8
|
-
include
|
9
|
-
include
|
8
|
+
include Validations
|
9
|
+
include OAuth::RequestConcern
|
10
10
|
|
11
|
-
attr_accessor :issuer, :server, :client, :original_scopes
|
11
|
+
attr_accessor :issuer, :server, :client, :original_scopes
|
12
12
|
attr_reader :response
|
13
13
|
alias :error_response :response
|
14
14
|
|
@@ -28,15 +28,6 @@ module Doorkeeper
|
|
28
28
|
issuer.token
|
29
29
|
end
|
30
30
|
|
31
|
-
# TODO: Why can't it use RequestConcern's implementation?
|
32
|
-
def scopes
|
33
|
-
@scopes ||= if @original_scopes.present?
|
34
|
-
Doorkeeper::OAuth::Scopes.from_string(@original_scopes)
|
35
|
-
else
|
36
|
-
server.default_scopes
|
37
|
-
end
|
38
|
-
end
|
39
|
-
|
40
31
|
private
|
41
32
|
|
42
33
|
def valid?
|
@@ -1,8 +1,8 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
module OAuth
|
3
3
|
class CodeResponse
|
4
|
-
include
|
5
|
-
include
|
4
|
+
include OAuth::Authorization::URIBuilder
|
5
|
+
include OAuth::Helpers
|
6
6
|
|
7
7
|
attr_accessor :pre_auth, :auth, :response_on_fragment
|
8
8
|
|
@@ -15,10 +15,9 @@ module Doorkeeper
|
|
15
15
|
true
|
16
16
|
end
|
17
17
|
|
18
|
-
# TODO: configure the test oauth path?
|
19
18
|
def redirect_uri
|
20
19
|
if URIChecker.native_uri? pre_auth.redirect_uri
|
21
|
-
|
20
|
+
auth.native_redirect
|
22
21
|
else
|
23
22
|
if response_on_fragment
|
24
23
|
uri_with_fragment(
|
@@ -1,8 +1,8 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
module OAuth
|
3
3
|
class ErrorResponse
|
4
|
-
include
|
5
|
-
include
|
4
|
+
include OAuth::Authorization::URIBuilder
|
5
|
+
include OAuth::Helpers
|
6
6
|
|
7
7
|
def self.from_request(request, attributes = {})
|
8
8
|
state = request.state if request.respond_to?(:state)
|
@@ -12,7 +12,7 @@ module Doorkeeper
|
|
12
12
|
delegate :name, :description, :state, to: :@error
|
13
13
|
|
14
14
|
def initialize(attributes = {})
|
15
|
-
@error =
|
15
|
+
@error = OAuth::Error.new(*attributes.values_at(:name, :state))
|
16
16
|
@redirect_uri = attributes[:redirect_uri]
|
17
17
|
@response_on_fragment = attributes[:response_on_fragment]
|
18
18
|
end
|
@@ -0,0 +1,29 @@
|
|
1
|
+
module Doorkeeper
|
2
|
+
module OAuth
|
3
|
+
class ForbiddenTokenResponse < ErrorResponse
|
4
|
+
def self.from_scopes(scopes, attributes = {})
|
5
|
+
new(attributes.merge(scopes: scopes))
|
6
|
+
end
|
7
|
+
|
8
|
+
def initialize(attributes = {})
|
9
|
+
super(attributes.merge(name: :invalid_scope, state: :forbidden))
|
10
|
+
@scopes = attributes[:scopes]
|
11
|
+
end
|
12
|
+
|
13
|
+
def status
|
14
|
+
:forbidden
|
15
|
+
end
|
16
|
+
|
17
|
+
def headers
|
18
|
+
headers = super
|
19
|
+
headers.delete 'WWW-Authenticate'
|
20
|
+
headers
|
21
|
+
end
|
22
|
+
|
23
|
+
def description
|
24
|
+
scope = { scope: [:doorkeeper, :scopes] }
|
25
|
+
@description ||= @scopes.map { |r| I18n.translate r, scope }.join('\n')
|
26
|
+
end
|
27
|
+
end
|
28
|
+
end
|
29
|
+
end
|
@@ -10,7 +10,7 @@ module Doorkeeper
|
|
10
10
|
def self.valid?(scope, server_scopes)
|
11
11
|
scope.present? &&
|
12
12
|
scope !~ /[\n|\r|\t]/ &&
|
13
|
-
server_scopes.has_scopes?(
|
13
|
+
server_scopes.has_scopes?(OAuth::Scopes.from_string(scope))
|
14
14
|
end
|
15
15
|
end
|
16
16
|
end
|
@@ -1,9 +1,9 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
module OAuth
|
3
3
|
class PasswordAccessTokenRequest
|
4
|
-
include
|
5
|
-
include
|
6
|
-
include
|
4
|
+
include Validations
|
5
|
+
include OAuth::RequestConcern
|
6
|
+
include OAuth::Helpers
|
7
7
|
|
8
8
|
validate :client, error: :invalid_client
|
9
9
|
validate :resource_owner, error: :invalid_resource_owner
|
@@ -19,8 +19,8 @@ module Doorkeeper
|
|
19
19
|
@original_scopes = parameters[:scope]
|
20
20
|
|
21
21
|
if credentials
|
22
|
-
@client =
|
23
|
-
|
22
|
+
@client = Application.authenticate credentials.uid,
|
23
|
+
credentials.secret
|
24
24
|
end
|
25
25
|
end
|
26
26
|
|
@@ -1,7 +1,7 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
module OAuth
|
3
3
|
class PreAuthorization
|
4
|
-
include
|
4
|
+
include Validations
|
5
5
|
|
6
6
|
validate :response_type, error: :unsupported_response_type
|
7
7
|
validate :client, error: :invalid_client
|
@@ -33,7 +33,7 @@ module Doorkeeper
|
|
33
33
|
end
|
34
34
|
|
35
35
|
def error_response
|
36
|
-
|
36
|
+
OAuth::ErrorResponse.from_request(self)
|
37
37
|
end
|
38
38
|
|
39
39
|
private
|
@@ -1,9 +1,9 @@
|
|
1
1
|
module Doorkeeper
|
2
2
|
module OAuth
|
3
3
|
class RefreshTokenRequest
|
4
|
-
include
|
5
|
-
include
|
6
|
-
include
|
4
|
+
include Validations
|
5
|
+
include OAuth::RequestConcern
|
6
|
+
include OAuth::Helpers
|
7
7
|
|
8
8
|
validate :token, error: :invalid_request
|
9
9
|
validate :client, error: :invalid_client
|
@@ -20,8 +20,8 @@ module Doorkeeper
|
|
20
20
|
@original_scopes = parameters[:scopes]
|
21
21
|
|
22
22
|
if credentials
|
23
|
-
@client =
|
24
|
-
|
23
|
+
@client = Application.authenticate credentials.uid,
|
24
|
+
credentials.secret
|
25
25
|
end
|
26
26
|
end
|
27
27
|
|
@@ -37,7 +37,7 @@ module Doorkeeper
|
|
37
37
|
end
|
38
38
|
|
39
39
|
def create_access_token
|
40
|
-
@access_token =
|
40
|
+
@access_token = AccessToken.create!(
|
41
41
|
application_id: refresh_token.application_id,
|
42
42
|
resource_owner_id: refresh_token.resource_owner_id,
|
43
43
|
scopes: scopes.to_s,
|