doorkeeper 1.4.1 → 2.0.0

data/lib/doorkeeper/config.rb

@@ -8,6 +8,7 @@ module Doorkeeper
   def self.configure(&block)
     @config = Config::Builder.new(&block).build
     enable_orm
+    check_for_missing_columns
     setup_application_owner if @config.enable_application_owner?
   end
 
@@ -15,26 +16,42 @@ module Doorkeeper
     @config || (fail MissingConfiguration.new)
   end
 
-  def self.orm_model_dir
-    case configuration.orm
-    when :mongoid3, :mongoid4
-      'mongoid3_4'
-    else
-      configuration.orm
+  def self.check_for_missing_columns
+    if Doorkeeper.configuration.orm == :active_record &&
+        !Application.new.attributes.include?("scopes")
+
+      puts <<-MSG.squish
+[doorkeeper] Missing column: `applications.scopes`.
+If you are using ActiveRecord run `rails generate doorkeeper:application_scopes
+&& rake db:migrate` to add it.
+      MSG
     end
+  rescue ActiveRecord::StatementInvalid
+    # trap error when DB is not yet setup
   end
 
   def self.enable_orm
-    require "doorkeeper/models/#{orm_model_dir}/access_grant"
-    require "doorkeeper/models/#{orm_model_dir}/access_token"
-    require "doorkeeper/models/#{orm_model_dir}/application"
-    require 'doorkeeper/models/access_grant'
-    require 'doorkeeper/models/access_token'
-    require 'doorkeeper/models/application'
+    class_name = "doorkeeper/orm/#{configuration.orm}".classify
+    class_name.constantize.initialize_models!
+  rescue NameError => e
+    if e.instance_of?(NameError)
+      fail e, "ORM adapter not found (#{configuration.orm})", <<-error_msg
+[doorkeeper] ORM adapter not found (#{configuration.orm}), or there was an error
+trying to load it.
+
+You probably need to add the related gem for this adapter to work with
+doorkeeper.
+
+If you are working on the adapter itself, double check that the constant exists,
+and that your `initialize_models!` method doesn't raise any errors.\n
+      error_msg
+    else
+      raise e
+    end
   end
 
   def self.setup_application_owner
-    require File.join(File.dirname(__FILE__), 'models', 'ownership')
+    require File.join(File.dirname(__FILE__), 'models', 'concerns', 'ownership')
     Application.send :include, Models::Ownership
   end
 
@@ -86,12 +103,8 @@ module Doorkeeper
         @config.instance_variable_set("@reuse_access_token", true)
       end
 
-      def test_redirect_uri(uri)
-        warn <<-TEXT
-          DEPRECATION: test_redirect_uri has renamed to native_redirect_uri. use "native_redirect_uri '#{uri}'".
-        TEXT
-
-        @config.instance_variable_set('@native_redirect_uri', uri)
+      def force_ssl_in_redirect_uri(boolean)
+        @config.instance_variable_set("@force_ssl_in_redirect_uri", boolean)
       end
     end
 
@@ -180,6 +193,7 @@ module Doorkeeper
     option :active_record_options,         default: {}
     option :realm,                         default: 'Doorkeeper'
     option :wildcard_redirect_uri,         default: false
+    option :force_ssl_in_redirect_uri,     default: !Rails.env.development?
     option :grant_flows,
            default: %w(authorization_code implicit password client_credentials)
 
@@ -209,10 +223,6 @@ module Doorkeeper
       @scopes ||= default_scopes + optional_scopes
     end
 
-    def orm_name
-      [:mongoid2, :mongoid3, :mongoid4].include?(orm) ? :mongoid : orm
-    end
-
     def client_credentials_methods
       @client_credentials ||= [:from_basic, :from_params]
     end
@@ -233,7 +243,7 @@ module Doorkeeper
       @token_grant_types ||= calculate_token_grant_types
     end
 
-  private
+    private
 
     # Determines what values are acceptable for 'response_type' param in
     # authorization request endpoint, and return them as an array of strings.

data/lib/doorkeeper/engine.rb

@@ -1,13 +1,12 @@
 module Doorkeeper
   class Engine < Rails::Engine
     initializer 'doorkeeper.routes' do
-      Doorkeeper::Rails::Routes.warn_if_using_mount_method!
       Doorkeeper::Rails::Routes.install!
     end
 
     initializer 'doorkeeper.helpers' do
       ActiveSupport.on_load(:action_controller) do
-        include Doorkeeper::Helpers::Filter
+        include Doorkeeper::Rails::Helpers
       end
     end
   end

data/lib/doorkeeper/generators/doorkeeper/mongo_mapper/indexes_generator.rb

@@ -0,0 +1,12 @@
+module Doorkeeper
+  module MongoMapper
+    class IndexesGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('templates', __FILE__)
+      desc "'Creates an indexes file for use with MongoMapper's rake db:index'"
+
+      def install
+        template 'indexes.rb', 'db/indexes.rb'
+      end
+    end
+  end
+end

data/lib/doorkeeper/models/access_grant_mixin.rb

@@ -0,0 +1,36 @@
+module Doorkeeper
+  module AccessGrantMixin
+    extend ActiveSupport::Concern
+
+    include OAuth::Helpers
+    include Models::Expirable
+    include Models::Revocable
+    include Models::Accessible
+    include Models::Scopes
+
+    included do
+      belongs_to :application, class_name: 'Doorkeeper::Application', inverse_of: :access_grants
+
+      if ::Rails.version.to_i < 4 || defined?(::ProtectedAttributes)
+        attr_accessible :resource_owner_id, :application_id, :expires_in, :redirect_uri, :scopes
+      end
+
+      validates :resource_owner_id, :application_id, :token, :expires_in, :redirect_uri, presence: true
+      validates :token, uniqueness: true
+
+      before_validation :generate_token, on: :create
+    end
+
+    module ClassMethods
+      def by_token(token)
+        where(token: token).limit(1).to_a.first
+      end
+    end
+
+    private
+
+    def generate_token
+      self.token = UniqueToken.generate
+    end
+  end
+end

data/lib/doorkeeper/models/access_token_mixin.rb

@@ -0,0 +1,122 @@
+module Doorkeeper
+  module AccessTokenMixin
+    extend ActiveSupport::Concern
+
+    include OAuth::Helpers
+    include Models::Expirable
+    include Models::Revocable
+    include Models::Accessible
+    include Models::Scopes
+
+    included do
+      belongs_to :application,
+                 class_name: 'Doorkeeper::Application',
+                 inverse_of: :access_tokens
+
+      validates :token, presence: true, uniqueness: true
+      validates :refresh_token, uniqueness: true, if: :use_refresh_token?
+
+      attr_writer :use_refresh_token
+
+      if ::Rails.version.to_i < 4 || defined?(::ProtectedAttributes)
+        attr_accessible :application_id, :resource_owner_id, :expires_in,
+                        :scopes, :use_refresh_token
+      end
+
+      before_validation :generate_token, on: :create
+      before_validation :generate_refresh_token,
+                        on: :create,
+                        if: :use_refresh_token?
+    end
+
+    module ClassMethods
+      def by_token(token)
+        where(token: token).limit(1).to_a.first
+      end
+
+      def by_refresh_token(refresh_token)
+        where(refresh_token: refresh_token).first
+      end
+
+      def revoke_all_for(application_id, resource_owner)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner.id,
+              revoked_at: nil).
+          map(&:revoke)
+      end
+
+      def matching_token_for(application, resource_owner_or_id, scopes)
+        resource_owner_id = if resource_owner_or_id.respond_to?(:to_key)
+                              resource_owner_or_id.id
+                            else
+                              resource_owner_or_id
+                            end
+        token = last_authorized_token_for(application.try(:id), resource_owner_id)
+        token if token && Doorkeeper::OAuth::Helpers::ScopeChecker.matches?(token.scopes, scopes)
+      end
+
+      def find_or_create_for(application, resource_owner_id, scopes, expires_in, use_refresh_token)
+        if Doorkeeper.configuration.reuse_access_token
+          access_token = matching_token_for(application, resource_owner_id, scopes)
+          if access_token && !access_token.expired?
+            return access_token
+          end
+        end
+        create!(
+          application_id:    application.try(:id),
+          resource_owner_id: resource_owner_id,
+          scopes:            scopes.to_s,
+          expires_in:        expires_in,
+          use_refresh_token: use_refresh_token
+        )
+      end
+
+      def last_authorized_token_for(application_id, resource_owner_id)
+        where(application_id: application_id,
+              resource_owner_id: resource_owner_id,
+              revoked_at: nil).
+          send(order_method, created_at_desc).
+          limit(1).
+          to_a.
+          first
+      end
+    end
+
+    def token_type
+      'bearer'
+    end
+
+    def use_refresh_token?
+      !!@use_refresh_token
+    end
+
+    def as_json(_options = {})
+      {
+        resource_owner_id: resource_owner_id,
+        scopes: scopes,
+        expires_in_seconds: expires_in_seconds,
+        application: { uid: application.try(:uid) }
+      }
+    end
+
+    # It indicates whether the tokens have the same credential
+    def same_credential?(access_token)
+      application_id == access_token.application_id &&
+        resource_owner_id == access_token.resource_owner_id
+    end
+
+    def acceptable?(scopes)
+      accessible? && includes_scope?(*scopes)
+    end
+
+    private
+
+    def generate_refresh_token
+      write_attribute :refresh_token, UniqueToken.generate
+    end
+
+    def generate_token
+      self.token = UniqueToken.generate
+    end
+  end
+end

data/lib/doorkeeper/models/application_mixin.rb

@@ -0,0 +1,60 @@
+module Doorkeeper
+  module ApplicationMixin
+    extend ActiveSupport::Concern
+
+    include OAuth::Helpers
+    include Models::Scopes
+
+    included do
+      has_many :access_grants, dependent: :destroy, class_name: 'Doorkeeper::AccessGrant'
+      has_many :access_tokens, dependent: :destroy, class_name: 'Doorkeeper::AccessToken'
+
+      validates :name, :secret, :uid, presence: true
+      validates :uid, uniqueness: true
+      validates :redirect_uri, redirect_uri: true
+
+      before_validation :generate_uid, :generate_secret, on: :create
+
+      if ::Rails.version.to_i < 4 || defined?(::ProtectedAttributes)
+        attr_accessible :name, :redirect_uri
+      end
+    end
+
+    module ClassMethods
+      def by_uid_and_secret(uid, secret)
+        where(uid: uid, secret: secret).limit(1).to_a.first
+      end
+
+      def by_uid(uid)
+        where(uid: uid).limit(1).to_a.first
+      end
+    end
+
+    alias_method :original_scopes, :scopes
+    def scopes
+      if has_scopes?
+        original_scopes
+      else
+        fail NameError, "Missing column: `applications.scopes`.", <<-MSG.squish
+If you are using ActiveRecord run `rails generate doorkeeper:application_scopes
+&& rake db:migrate` to add it.
+        MSG
+      end
+    end
+
+    private
+
+    def has_scopes?
+      Doorkeeper.configuration.orm != :active_record ||
+        Application.new.attributes.include?("scopes")
+    end
+
+    def generate_uid
+      self.uid ||= UniqueToken.generate
+    end
+
+    def generate_secret
+      self.secret ||= UniqueToken.generate
+    end
+  end
+end

data/lib/doorkeeper/models/{expirable.rb → concerns/expirable.rb}

@@ -5,17 +5,18 @@ module Doorkeeper
         expires_in && Time.now > expired_time
       end
 
-      def expired_time
-        created_at + expires_in.seconds
-      end
-
       def expires_in_seconds
         return nil if expires_in.nil?
         expires = (created_at + expires_in.seconds) - Time.now
         expires_sec = expires.seconds.round(0)
         expires_sec > 0 ? expires_sec : 0
       end
-      private :expired_time
+
+      private
+
+      def expired_time
+        created_at + expires_in.seconds
+      end
     end
   end
 end

data/lib/doorkeeper/models/{ownership.rb → concerns/ownership.rb}

@@ -1,15 +1,15 @@
 module Doorkeeper
   module Models
     module Ownership
-      def validate_owner?
-        Doorkeeper.configuration.confirm_application_owner?
+      extend ActiveSupport::Concern
+
+      included do
+        belongs_to :owner, polymorphic: true
+        validates :owner, presence: true, if: :validate_owner?
       end
 
-      def self.included(base)
-        base.class_eval do
-          belongs_to :owner, polymorphic: true
-          validates :owner, presence: true, if: :validate_owner?
-        end
+      def validate_owner?
+        Doorkeeper.configuration.confirm_application_owner?
       end
     end
   end

data/lib/doorkeeper/models/{revocable.rb → concerns/revocable.rb}

@@ -6,7 +6,7 @@ module Doorkeeper
       end
 
       def revoked?
-        revoked_at.present?
+        !!(revoked_at && revoked_at <= DateTime.now)
       end
     end
   end

data/lib/doorkeeper/models/concerns/scopes.rb

@@ -0,0 +1,17 @@
+module Doorkeeper
+  module Models
+    module Scopes
+      def scopes
+        OAuth::Scopes.from_string(self[:scopes])
+      end
+
+      def scopes_string
+        self[:scopes]
+      end
+
+      def includes_scope?(*required_scopes)
+        required_scopes.blank? || required_scopes.any? { |s| scopes.exists?(s.to_s) }
+      end
+    end
+  end
+end

data/lib/doorkeeper/oauth/authorization/token.rb

@@ -10,12 +10,12 @@ module Doorkeeper
         end
 
         def issue_token
-          @token ||= AccessToken.create!(
-            application_id: pre_auth.client.id,
-            resource_owner_id: resource_owner.id,
-            scopes: pre_auth.scopes.to_s,
-            expires_in: configuration.access_token_expires_in,
-            use_refresh_token: false
+          @token ||= AccessToken.find_or_create_for(
+              pre_auth.client,
+              resource_owner.id,
+              pre_auth.scopes,
+              configuration.access_token_expires_in,
+              false
           )
         end
 

data/lib/doorkeeper/oauth/client.rb

@@ -10,7 +10,7 @@ module Doorkeeper
         end
       end
 
-      def self.authenticate(credentials, method = Application.method(:authenticate))
+      def self.authenticate(credentials, method = Application.method(:by_uid_and_secret))
         return false if credentials.blank?
         if application = method.call(credentials.uid, credentials.secret)
           new(application)

data/lib/doorkeeper/oauth/password_access_token_request.rb

@@ -6,7 +6,7 @@ module Doorkeeper
       include OAuth::Helpers
 
       validate :client,         error: :invalid_client
-      validate :resource_owner, error: :invalid_resource_owner
+      validate :resource_owner, error: :invalid_grant
       validate :scopes,         error: :invalid_scope
 
       attr_accessor :server, :resource_owner, :credentials, :access_token
@@ -19,8 +19,8 @@ module Doorkeeper
         @original_scopes = parameters[:scope]
 
         if credentials
-          @client = Application.authenticate credentials.uid,
-                                             credentials.secret
+          @client = Application.by_uid_and_secret credentials.uid,
+                                                  credentials.secret
         end
       end
 

data/lib/doorkeeper/oauth/pre_authorization.rb

@@ -48,7 +48,11 @@ module Doorkeeper
 
       def validate_scopes
         return true unless scope.present?
-        Helpers::ScopeChecker.valid? scope, server.scopes
+        if client.application.scopes.empty?
+          Helpers::ScopeChecker.valid?(scope, server.scopes)
+        else
+          Helpers::ScopeChecker.valid?(scope, server.scopes & client.application.scopes)
+        end
       end
 
       # TODO: test uri should be matched against the client's one

data/lib/doorkeeper/oauth/refresh_token_request.rb

@@ -14,14 +14,14 @@ module Doorkeeper
       attr_accessor :client
 
       def initialize(server, refresh_token, credentials, parameters = {})
-        @server           = server
-        @refresh_token    = refresh_token
-        @credentials      = credentials
-        @original_scopes  = parameters[:scopes]
+        @server          = server
+        @refresh_token   = refresh_token
+        @credentials     = credentials
+        @original_scopes = parameters[:scopes]
 
         if credentials
-          @client = Application.authenticate credentials.uid,
-                                             credentials.secret
+          @client = Application.by_uid_and_secret credentials.uid,
+                                                  credentials.secret
         end
       end
 

data/lib/doorkeeper/oauth/scopes.rb

@@ -17,7 +17,7 @@ module Doorkeeper
         end
       end
 
-      delegate :each, to: :@scopes
+      delegate :each, :empty?, to: :@scopes
 
       def initialize
         @scopes = []
@@ -55,6 +55,11 @@ module Doorkeeper
       def <=>(other)
         self.map(&:to_s).sort <=> other.map(&:to_s).sort
       end
+
+      def &(other)
+        other_array = other.present? ? other.all : []
+        self.class.from_array(all & other_array)
+      end
     end
   end
 end

data/lib/doorkeeper/oauth/token.rb

@@ -54,8 +54,9 @@ module Doorkeeper
       end
 
       def self.authenticate(request, *methods)
-        token = from_request request, *methods
-        AccessToken.authenticate(token) if token
+        if token = from_request(request, *methods)
+          AccessToken.by_token(token)
+        end
       end
     end
   end

data/lib/doorkeeper/orm/active_record/access_grant.rb

@@ -0,0 +1,7 @@
+module Doorkeeper
+  class AccessGrant < ActiveRecord::Base
+    include AccessGrantMixin
+
+    self.table_name = "#{table_name_prefix}oauth_access_grants#{table_name_suffix}".to_sym
+  end
+end

data/lib/doorkeeper/orm/active_record/access_token.rb

@@ -0,0 +1,21 @@
+module Doorkeeper
+  class AccessToken < ActiveRecord::Base
+    include AccessTokenMixin
+
+    self.table_name = "#{table_name_prefix}oauth_access_tokens#{table_name_suffix}".to_sym
+
+    def self.delete_all_for(application_id, resource_owner)
+      where(application_id: application_id,
+            resource_owner_id: resource_owner.id).delete_all
+    end
+    private_class_method :delete_all_for
+
+    def self.order_method
+      :order
+    end
+
+    def self.created_at_desc
+      'created_at desc'
+    end
+  end
+end

data/lib/doorkeeper/{models → orm}/active_record/application.rb

@@ -1,8 +1,6 @@
 module Doorkeeper
   class Application < ActiveRecord::Base
-    if Doorkeeper.configuration.active_record_options[:establish_connection]
-      establish_connection Doorkeeper.configuration.active_record_options[:establish_connection]
-    end
+    include ApplicationMixin
 
     self.table_name = "#{table_name_prefix}oauth_applications#{table_name_suffix}".to_sym
 

data/lib/doorkeeper/orm/active_record.rb

@@ -0,0 +1,17 @@
+module Doorkeeper
+  module Orm
+    module ActiveRecord
+      def self.initialize_models!
+        require 'doorkeeper/orm/active_record/access_grant'
+        require 'doorkeeper/orm/active_record/access_token'
+        require 'doorkeeper/orm/active_record/application'
+
+        if Doorkeeper.configuration.active_record_options[:establish_connection]
+          [Doorkeeper::AccessGrant, Doorkeeper::Application, Doorkeeper::AccessGrant].each do |c|
+            c.send :establish_connection, Doorkeeper.configuration.active_record_options[:establish_connection]
+          end
+        end
+      end
+    end
+  end
+end

data/lib/doorkeeper/{models → orm}/mongo_mapper/access_grant.rb

@@ -1,6 +1,9 @@
 module Doorkeeper
   class AccessGrant
     include MongoMapper::Document
+
+    include AccessGrantMixin
+
     safe
     timestamps!
 
@@ -9,14 +12,10 @@ module Doorkeeper
     key :resource_owner_id, ObjectId
     key :application_id,    ObjectId
     key :token,             String
+    key :scopes,            String
     key :expires_in,        Integer
     key :redirect_uri,      String
     key :revoked_at,        DateTime
-    key :scopes,            String
-
-    def scopes=(value)
-      write_attribute :scopes, value if value.present?
-    end
 
     def self.create_indexes
       ensure_index :token, unique: true