doorkeeper 1.4.1 → 2.0.0

data/lib/generators/doorkeeper/templates/initializer.rb

@@ -1,6 +1,7 @@
 Doorkeeper.configure do
   # Change the ORM that doorkeeper will use.
-  # Currently supported options are :active_record, :mongoid2, :mongoid3, :mongo_mapper
+  # Currently supported options are :active_record, :mongoid2, :mongoid3,
+  # :mongoid4, :mongo_mapper
   orm :active_record
 
   # This block will be called to check whether the resource owner is authenticated or not.
@@ -63,6 +64,12 @@ Doorkeeper.configure do
   #
   # native_redirect_uri 'urn:ietf:wg:oauth:2.0:oob'
 
+  # Forces the usage of the HTTPS protocol in non-native redirect uris (enabled
+  # by default in non-development environments). OAuth2 delegates security in
+  # communication to the HTTPS protocol so it is wise to keep this enabled.
+  #
+  # force_ssl_in_redirect_uri !Rails.env.development?
+
   # Specify what grant flows are enabled in array of Strings. The valid
   # strings and the flows they enable are:
   #

data/lib/generators/doorkeeper/templates/migration.rb

@@ -5,6 +5,7 @@ class CreateDoorkeeperTables < ActiveRecord::Migration
       t.string  :uid,          null: false
       t.string  :secret,       null: false
       t.text    :redirect_uri, null: false
+      t.string  :scopes,       null: false, default: ''
       t.timestamps
     end
 

data/lib/generators/doorkeeper/views_generator.rb

@@ -1,14 +1,13 @@
 module Doorkeeper
   module Generators
     class ViewsGenerator < ::Rails::Generators::Base
-      source_root File.expand_path('../../../../app/views/doorkeeper', __FILE__)
+      source_root File.expand_path('../../../../app/views', __FILE__)
 
-      desc 'Copies default Doorkeeper views to your application.'
+      desc 'Copies default Doorkeeper views and layouts to your application.'
 
       def manifest
-        directory 'applications', 'app/views/doorkeeper/applications'
-        directory 'authorizations', 'app/views/doorkeeper/authorizations'
-        directory 'authorized_applications', 'app/views/doorkeeper/authorized_applications'
+        directory 'doorkeeper', 'app/views/doorkeeper'
+        directory 'layouts/doorkeeper', 'app/views/layouts/doorkeeper'
       end
     end
   end

data/spec/controllers/applications_controller_spec.rb

@@ -16,9 +16,9 @@ module Doorkeeper
 
       it 'does not create application' do
         expect do
-          post :create, application: {
+          post :create, doorkeeper_application: {
             name: 'Example',
-            redirect_uri: 'http://example.com' }
+            redirect_uri: 'https://example.com' }
         end.to_not change { Doorkeeper::Application.count }
       end
     end
@@ -30,16 +30,16 @@ module Doorkeeper
 
       it 'creates application' do
         expect do
-          post :create, application: {
+          post :create, doorkeeper_application: {
             name: 'Example',
-            redirect_uri: 'http://example.com' }
+            redirect_uri: 'https://example.com' }
         end.to change { Doorkeeper::Application.count }.by(1)
         expect(response).to be_redirect
       end
 
       it 'does not allow mass assignment of uid or secret' do
         application = FactoryGirl.create(:application)
-        put :update, id: application.id, application: {
+        put :update, id: application.id, doorkeeper_application: {
           uid: '1A2B3C4D',
           secret: '1A2B3C4D' }
 
@@ -48,9 +48,9 @@ module Doorkeeper
 
       it 'updates application' do
         application = FactoryGirl.create(:application)
-        put :update, id: application.id, application: {
+        put :update, id: application.id, doorkeeper_application: {
           name: 'Example',
-          redirect_uri: 'http://example.com' }
+          redirect_uri: 'https://example.com' }
         expect(application.reload.name).to eq 'Example'
       end
     end

data/spec/controllers/protected_resources_controller_spec.rb

@@ -10,66 +10,10 @@ module ControllerActions
   end
 end
 
-shared_examples 'specified for particular actions' do
-  context 'with valid token', token: :valid do
-    it 'allows into index action' do
-      get :index, access_token: token_string
-      expect(response).to be_success
-    end
-
-    it 'allows into show action' do
-      get :show, id: '3', access_token: token_string
-      expect(response).to be_success
-    end
-  end
-
-  context 'with invalid token', token: :invalid do
-    include_context 'invalid token'
-
-    it 'does not allow into index action' do
-      get :index, access_token: token_string
-      expect(response.status).to eq 401
-      expect(response.headers['WWW-Authenticate']).to match(/^Bearer/)
-    end
-
-    it 'allows into show action' do
-      get :show, id: '5', access_token: token_string
-      expect(response).to be_success
-    end
-  end
-end
-
-shared_examples 'specified with except' do
-  context 'with valid token', token: :valid do
-    it 'allows into index action' do
-      get :index, access_token: token_string
-      expect(response).to be_success
-    end
-
-    it 'allows into show action' do
-      get :show, id: '4', access_token: token_string
-      expect(response).to be_success
-    end
-  end
-
-  context 'with invalid token', token: :invalid do
-    it 'allows into index action' do
-      get :index, access_token: token_string
-      expect(response).to be_success
-    end
-
-    it 'does not allow into show action' do
-      get :show, id: '14', access_token: token_string
-      expect(response.status).to eq 401
-      expect(response.headers['WWW-Authenticate']).to match(/^Bearer/)
-    end
-  end
-end
-
-describe 'Doorkeeper_for helper' do
+describe 'doorkeeper authorize filter' do
   context 'accepts token code specified as' do
     controller do
-      doorkeeper_for :all
+      before_filter :doorkeeper_authorize!
 
       def index
         render text: 'index'
@@ -82,39 +26,39 @@ describe 'Doorkeeper_for helper' do
     end
 
     it 'access_token param' do
-      expect(Doorkeeper::AccessToken).to receive(:authenticate).with(token_string).and_return(token)
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
       get :index, access_token: token_string
     end
 
     it 'bearer_token param' do
-      expect(Doorkeeper::AccessToken).to receive(:authenticate).with(token_string).and_return(token)
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
       get :index, bearer_token: token_string
     end
 
     it 'Authorization header' do
-      expect(Doorkeeper::AccessToken).to receive(:authenticate).with(token_string).and_return(token)
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
       request.env['HTTP_AUTHORIZATION'] = "Bearer #{token_string}"
       get :index
     end
 
     it 'different kind of Authorization header' do
-      expect(Doorkeeper::AccessToken).not_to receive(:authenticate)
+      expect(Doorkeeper::AccessToken).not_to receive(:by_token)
       request.env['HTTP_AUTHORIZATION'] = "MAC #{token_string}"
       get :index
     end
 
     it 'does not change Authorization header value' do
-      expect(Doorkeeper::AccessToken).to receive(:authenticate).exactly(2).times.and_return(token)
+      expect(Doorkeeper::AccessToken).to receive(:by_token).exactly(2).times.and_return(token)
       request.env['HTTP_AUTHORIZATION'] = "Bearer #{token_string}"
       get :index
-      controller.send(:remove_instance_variable, :@token)
+      controller.send(:remove_instance_variable, :@_doorkeeper_token)
       get :index
     end
   end
 
   context 'defined for all actions' do
     controller do
-      doorkeeper_for :all
+      before_filter :doorkeeper_authorize!
 
       include ControllerActions
     end
@@ -146,27 +90,9 @@ describe 'Doorkeeper_for helper' do
     end
   end
 
-  context 'defined only for index action' do
-    controller do
-      doorkeeper_for :index
-
-      include ControllerActions
-    end
-    include_examples 'specified for particular actions'
-  end
-
-  context 'defined for actions except index' do
-    controller do
-      doorkeeper_for :all, except: :index
-
-      include ControllerActions
-    end
-    include_examples 'specified with except'
-  end
-
   context 'defined with scopes' do
     controller do
-      doorkeeper_for :all, scopes: [:write]
+      before_filter -> { doorkeeper_authorize! :write }
 
       include ControllerActions
     end
@@ -175,16 +101,16 @@ describe 'Doorkeeper_for helper' do
 
     it 'allows if the token has particular scopes' do
       token = double(Doorkeeper::AccessToken, accessible?: true, scopes: %w(write public))
-      expect(token).to receive(:acceptable?).with(['write']).and_return(true)
-      expect(Doorkeeper::AccessToken).to receive(:authenticate).with(token_string).and_return(token)
+      expect(token).to receive(:acceptable?).with([:write]).and_return(true)
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
       get :index, access_token: token_string
       expect(response).to be_success
     end
 
     it 'does not allow if the token does not include given scope' do
       token = double(Doorkeeper::AccessToken, accessible?: true, scopes: ['public'], revoked?: false, expired?: false)
-      expect(Doorkeeper::AccessToken).to receive(:authenticate).with(token_string).and_return(token)
-      expect(token).to receive(:acceptable?).with(['write']).and_return(false)
+      expect(Doorkeeper::AccessToken).to receive(:by_token).with(token_string).and_return(token)
+      expect(token).to receive(:acceptable?).with([:write]).and_return(false)
       get :index, access_token: token_string
       expect(response.status).to eq 403
       expect(response.header).to_not include('WWW-Authenticate')
@@ -193,7 +119,7 @@ describe 'Doorkeeper_for helper' do
 
   context 'when custom unauthorized render options are configured' do
     controller do
-      doorkeeper_for :all
+      before_filter :doorkeeper_authorize!
 
       include ControllerActions
     end
@@ -212,7 +138,6 @@ describe 'Doorkeeper_for helper' do
         expect(parsed_body).not_to be_nil
         expect(parsed_body['error']).to eq('Unauthorized')
       end
-
     end
 
     context 'with a text custom render', token: :invalid do
@@ -230,91 +155,16 @@ describe 'Doorkeeper_for helper' do
     end
   end
 
-  context 'when defined with conditional if block' do
-    controller do
-      doorkeeper_for :index, if: -> { the_false }
-      doorkeeper_for :show,  if: -> { the_true }
-
-      include ControllerActions
-
-      private
-
-      def the_true
-        true
-      end
-
-      def the_false
-        false
-      end
-    end
-
-    context 'with valid token', token: :valid do
-      it 'enables access if passed block evaluates to false' do
-        get :index, access_token: token_string
-        expect(response).to be_success
-      end
-
-      it 'enables access if passed block evaluates to true' do
-        get :show, id: 1, access_token: token_string
-        expect(response).to be_success
-      end
-    end
-
-    context 'with invalid token', token: :invalid do
-      it 'enables access if passed block evaluates to false' do
-        get :index, access_token: token_string
-        expect(response).to be_success
-      end
-
-      it 'does not enable access if passed block evaluates to true' do
-        get :show, id: 3, access_token: token_string
-        expect(response.status).to eq 401
-        expect(response.header['WWW-Authenticate']).to match(/^Bearer/)
-      end
-    end
-  end
-
-  context 'when defined with conditional unless block' do
-    controller do
-      doorkeeper_for :index, unless: -> { the_false }
-      doorkeeper_for :show, unless: -> { the_true }
-
-      include ControllerActions
-
-      def the_true
-        true
-      end
-
-      private
-
-      def the_false
-        false
-      end
-    end
-
-    context 'with valid token', token: :valid do
-      it 'allows access if passed block evaluates to false' do
-        get :index, access_token: token_string
-        expect(response).to be_success
-      end
-
-      it 'allows access if passed block evaluates to true' do
-        get :show, id: 1, access_token: token_string
-        expect(response).to be_success
-      end
-    end
-
-    context 'with invalid token', token: :invalid do
-      it 'does not allow access if passed block evaluates to false' do
-        get :index, access_token: token_string
-        expect(response.status).to eq 401
-        expect(response.header['WWW-Authenticate']).to match(/^Bearer/)
-      end
-
-      it 'allows access if passed block evaluates to true' do
-        get :show, id: 3, access_token: token_string
-        expect(response).to be_success
-      end
+  context 'defined for all actions' do
+    controller {}
+
+    it 'it renders a custom JSON response', token: :invalid do
+      expect do
+        controller.class.doorkeeper_for
+      end.to raise_error(
+        Doorkeeper::Errors::DoorkeeperError,
+        /`doorkeeper_for` no longer available/
+      )
     end
   end
 end

data/spec/controllers/tokens_controller_spec.rb

@@ -18,20 +18,26 @@ describe Doorkeeper::TokensController do
   end
 
   describe 'when authorization has failed' do
-    let :token do
-      double(:token, authorize: false)
-    end
-
-    before do
+    it 'returns the error response' do
+      token = double(:token, authorize: false)
       allow(controller).to receive(:token) { token }
-    end
 
-    it 'returns the error response' do
-      skip 'verify need of these specs'
-      allow(token).to receive(:error_response).and_return(double(to_json: [], status: :unauthorized))
       post :create
+
       expect(response.status).to eq 401
       expect(response.headers['WWW-Authenticate']).to match(/Bearer/)
     end
   end
+
+  describe 'when revoke authorization has failed' do
+    # http://tools.ietf.org/html/rfc7009#section-2.2
+    it 'returns no error response' do
+      token = double(:token, authorize: false)
+      allow(controller).to receive(:token) { token }
+
+      post :revoke
+
+      expect(response.status).to eq 200
+    end
+  end
 end

data/spec/dummy/app/controllers/full_protected_resources_controller.rb

@@ -1,6 +1,6 @@
 class FullProtectedResourcesController < ApplicationController
-  doorkeeper_for :index
-  doorkeeper_for :show, scopes: [:admin]
+  before_filter -> { doorkeeper_authorize! :admin }, only: :show
+  before_filter :doorkeeper_authorize!, only: :index
 
   def index
     render text: 'index'

data/spec/dummy/app/controllers/metal_controller.rb

@@ -1,9 +1,9 @@
 class MetalController < ActionController::Metal
   include AbstractController::Callbacks
   include ActionController::Head
-  include Doorkeeper::Helpers::Filter
+  include Doorkeeper::Rails::Helpers
 
-  doorkeeper_for :all
+  before_filter :doorkeeper_authorize!
 
   def index
     self.response_body = { ok: true }.to_json

data/spec/dummy/app/controllers/semi_protected_resources_controller.rb

@@ -1,11 +1,11 @@
 class SemiProtectedResourcesController < ApplicationController
-  doorkeeper_for :index
+  before_filter :doorkeeper_authorize!, only: :index
 
   def index
     render text: 'protected index'
   end
 
   def show
-    render text: 'protected show'
+    render text: 'non protected show'
   end
 end

data/spec/dummy/app/models/user.rb

@@ -1,8 +1,8 @@
-case DOORKEEPER_ORM
-when :active_record
+case DOORKEEPER_ORM.to_s
+when "active_record"
   class User < ActiveRecord::Base
   end
-when :mongoid2, :mongoid3, :mongoid4
+when /mongoid/
   class User
     include Mongoid::Document
     include Mongoid::Timestamps
@@ -10,7 +10,7 @@ when :mongoid2, :mongoid3, :mongoid4
     field :name, type: String
     field :password, type: String
   end
-when :mongo_mapper
+when "mongo_mapper"
   class User
     include MongoMapper::Document
     timestamps!
@@ -21,7 +21,7 @@ when :mongo_mapper
 end
 
 class User
-  if ::Rails.version.to_i < 4
+  if ::Rails.version.to_i < 4 || defined?(::ProtectedAttributes)
     attr_accessible :name, :password
   end
 

data/spec/dummy/config/application.rb

@@ -5,7 +5,7 @@ require 'sprockets/railtie'
 
 Bundler.require :default
 
-orm = if [:mongoid2, :mongoid3, :mongoid4].include?(DOORKEEPER_ORM)
+orm = if DOORKEEPER_ORM =~ /mongoid/
         Mongoid.load!(File.join(File.dirname(File.expand_path(__FILE__)), "#{DOORKEEPER_ORM}.yml"))
         :mongoid
       else
@@ -50,5 +50,7 @@ module Dummy
 
     # Version of your assets, change this if you want to expire all your assets
     config.assets.version = '1.0'
+
+    I18n.enforce_available_locales = false
   end
 end

data/spec/dummy/config/boot.rb

@@ -1,6 +1,9 @@
 require 'rubygems'
 require 'bundler/setup'
 
-DOORKEEPER_ORM = (ENV['orm'] || :active_record).to_sym unless defined?(DOORKEEPER_ORM)
+orm = ENV['BUNDLE_GEMFILE'].match(/Gemfile\.(.+)\.rb/)
+unless defined?(DOORKEEPER_ORM)
+  DOORKEEPER_ORM = (orm && orm[1]) || :active_record
+end
 
 $LOAD_PATH.unshift File.expand_path('../../../../lib', __FILE__)

data/spec/dummy/db/migrate/20141209001746_add_scopes_to_oauth_applications.rb

@@ -0,0 +1,5 @@
+class AddScopesToOauthApplications < ActiveRecord::Migration
+  def change
+    add_column :oauth_applications, :scopes, :string, null: false, default: ''
+  end
+end

data/spec/dummy/db/schema.rb

@@ -9,57 +9,58 @@
 # from scratch. The latter is a flawed and unsustainable approach (the more migrations
 # you'll amass, the slower it'll run and the greater likelihood for issues).
 #
-# It's strongly recommended to check this file into your version control system.
+# It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20130902175349) do
+ActiveRecord::Schema.define(version: 20141209001746) do
 
-  create_table 'oauth_access_grants', force: true do |t|
-    t.integer  'resource_owner_id',                 null: false
-    t.integer  'application_id',                    null: false
-    t.string   'token',                             null: false
-    t.integer  'expires_in',                        null: false
-    t.text     'redirect_uri',                      null: false
-    t.datetime 'created_at',                        null: false
-    t.datetime 'revoked_at'
-    t.string   'scopes'
+  create_table "oauth_access_grants", force: true do |t|
+    t.integer  "resource_owner_id",              null: false
+    t.integer  "application_id",                 null: false
+    t.string   "token",                          null: false
+    t.integer  "expires_in",                     null: false
+    t.string   "redirect_uri",      limit: 2048, null: false
+    t.datetime "created_at",                     null: false
+    t.datetime "revoked_at"
+    t.string   "scopes"
   end
 
-  add_index 'oauth_access_grants', ['token'], name: 'index_oauth_access_grants_on_token', unique: true
+  add_index "oauth_access_grants", ["token"], name: "index_oauth_access_grants_on_token", unique: true
 
-  create_table 'oauth_access_tokens', force: true do |t|
-    t.integer  'resource_owner_id'
-    t.integer  'application_id'
-    t.string   'token',             null: false
-    t.string   'refresh_token'
-    t.integer  'expires_in'
-    t.datetime 'revoked_at'
-    t.datetime 'created_at',        null: false
-    t.string   'scopes'
+  create_table "oauth_access_tokens", force: true do |t|
+    t.integer  "resource_owner_id"
+    t.integer  "application_id"
+    t.string   "token",             null: false
+    t.string   "refresh_token"
+    t.integer  "expires_in"
+    t.datetime "revoked_at"
+    t.datetime "created_at",        null: false
+    t.string   "scopes"
   end
 
-  add_index 'oauth_access_tokens', ['refresh_token'], name: 'index_oauth_access_tokens_on_refresh_token', unique: true
-  add_index 'oauth_access_tokens', ['resource_owner_id'], name: 'index_oauth_access_tokens_on_resource_owner_id'
-  add_index 'oauth_access_tokens', ['token'], name: 'index_oauth_access_tokens_on_token', unique: true
+  add_index "oauth_access_tokens", ["refresh_token"], name: "index_oauth_access_tokens_on_refresh_token", unique: true
+  add_index "oauth_access_tokens", ["resource_owner_id"], name: "index_oauth_access_tokens_on_resource_owner_id"
+  add_index "oauth_access_tokens", ["token"], name: "index_oauth_access_tokens_on_token", unique: true
 
-  create_table 'oauth_applications', force: true do |t|
-    t.string   'name',                         null: false
-    t.string   'uid',                          null: false
-    t.string   'secret',                       null: false
-    t.text     'redirect_uri',                 null: false
-    t.datetime 'created_at',                   null: false
-    t.datetime 'updated_at',                   null: false
-    t.integer  'owner_id'
-    t.string   'owner_type'
+  create_table "oauth_applications", force: true do |t|
+    t.string   "name",                                   null: false
+    t.string   "uid",                                    null: false
+    t.string   "secret",                                 null: false
+    t.string   "redirect_uri", limit: 2048,              null: false
+    t.datetime "created_at",                             null: false
+    t.datetime "updated_at",                             null: false
+    t.integer  "owner_id"
+    t.string   "owner_type"
+    t.string   "scopes",                    default: "", null: false
   end
 
-  add_index 'oauth_applications', %w(owner_id owner_type), name: 'index_oauth_applications_on_owner_id_and_owner_type'
-  add_index 'oauth_applications', ['uid'], name: 'index_oauth_applications_on_uid', unique: true
+  add_index "oauth_applications", ["owner_id", "owner_type"], name: "index_oauth_applications_on_owner_id_and_owner_type"
+  add_index "oauth_applications", ["uid"], name: "index_oauth_applications_on_uid", unique: true
 
-  create_table 'users', force: true do |t|
-    t.string   'name'
-    t.datetime 'created_at', null: false
-    t.datetime 'updated_at', null: false
-    t.string   'password'
+  create_table "users", force: true do |t|
+    t.string   "name"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+    t.string   "password"
   end
 
 end

data/spec/factories.rb

@@ -0,0 +1,24 @@
+FactoryGirl.define do
+  factory :access_grant, class: Doorkeeper::AccessGrant do
+    sequence(:resource_owner_id) { |n| n }
+    application
+    redirect_uri 'https://app.com/callback'
+    expires_in 100
+    scopes 'public write'
+  end
+
+  factory :access_token, class: Doorkeeper::AccessToken do
+    sequence(:resource_owner_id) { |n| n }
+    application
+    expires_in 2.hours
+
+    factory :clientless_access_token do
+      application nil
+    end
+  end
+
+  factory :application, class: Doorkeeper::Application do
+    sequence(:name) { |n| "Application #{n}" }
+    redirect_uri 'https://app.com/callback'
+  end
+end